UnitedHealth Data Breach: Change Healthcare Notice Delayed

Change Healthcare Data Breach Notification Update

Change Healthcare, a health technology firm owned by UnitedHealth, has announced the substantial completion of notifications to individuals impacted by the significant data breach experienced last year. This breach involved the sensitive health data of over 100 million people and was the result of a ransomware attack.

Impact of the February 2024 Attack

The ransomware attack on Change Healthcare, a major patient billing processor in the United States, caused considerable disruption to the U.S. healthcare system with outages lasting several months. The incident is now recognized as the largest known theft of medical data in the nation’s history.

To mitigate further data publication, Change Healthcare opted to pay a ransom to the attackers. As part of this agreement, they received a copy of the compromised data, enabling them to begin the process of informing those whose information was exposed.

Notification Challenges and Website Visibility

Change Healthcare stated in a recent update on its website that it has notified customers for whom current postal addresses were available. However, the company acknowledged that complete address information for all potentially affected individuals may not be on file.

Interestingly, a search for the Change Healthcare data breach notice yields limited results. This is due to the inclusion of “noindex” code within the webpage’s source code.

Hidden “Noindex” Code

This “noindex” code instructs search engines to disregard the page, effectively hindering its discoverability in search results. TechCrunch’s analysis confirms that Change Healthcare implemented this code as early as November 20, 2024.

The rationale behind concealing the page from search engines remains unclear. UnitedHealth spokesperson Tyler Mason declined to comment on the reason for this decision.

Furthermore, the spokesperson could not provide a precise figure for the number of individuals notified beyond the previously reported estimate of 100 million, shared with the U.S. Department of Health and Human Services in October 2024.

Regulatory Response

The Department of Health and Human Services’ Office for Civil Rights, responsible for investigating data breaches involving protected health information, has not yet responded to requests for comment regarding this matter.

Criticism and Legal Action

Change Healthcare has faced criticism regarding the timeline of notifications, initiating contact with affected individuals four months after obtaining the stolen data. This delay prompted intervention from several U.S. states.

States including California, Massachusetts, Nebraska, and New Hampshire issued alerts to residents, advising vigilance against potential identity theft and fraud following the breach.

In December 2024, Nebraska initiated legal proceedings against Change Healthcare, citing a series of security deficiencies that contributed to the breach. Attorney General Mike Hilgers asserted that the insufficient notification to affected individuals increased the vulnerability of the state’s citizens to exploitation of their personal information.