The Change Healthcare data breach has raised concerns after the company posted its breach notification online but hid it from search engines, making it harder for affected individuals to find.
Change Healthcare announced on Tuesday, 14 January 2024, that it has “substantially” completed notifying individuals affected by a February 2024 ransomware attack that exposed the sensitive health data of more than 100 million people. However, the company has faced scrutiny after it was revealed that its online breach notice was intentionally made difficult to find due to hidden code on the webpage.
The ransomware attack on Change Healthcare occurred in February 2024 and resulted in the largest known theft of medical data in U.S. history. The breach caused widespread disruption across the healthcare system, with months-long outages affecting patient care.
Change Healthcare paid a ransom to the hackers, hoping to prevent further exposure of the stolen data and to obtain a copy of the files to notify affected individuals. Change Healthcare began notifying affected individuals of the data breach on June 20, 2024. By October 22, 2024, Change Healthcare reported to the U.S. Department of Health and Human Services (HSS) that approximately 100 million individual notices had been sent.
According to TechCrunch, Change Healthcare stated it had “notified its impacted customers” but admitted it “may not have sufficient addresses for all potentially impacted individuals,” prompting criticism for its incomplete outreach. Nebraska Attorney General Mike Hilgers condemned the company’s delays, stating that the lack of adequate notice left residents “more vulnerable to exploitation of the sensitive personal financial, health, and identifying information.” Meanwhile, UnitedHealth spokesperson Tyler Mason declined to explain why the breach notice was hidden from search engines, further fueling concerns about transparency.
By hiding the breach notice from search engines, Change Healthcare has limited access to critical information for affected individuals. The decision undermines transparency, leaving millions unaware of the breach and increasing their risk of identity theft and fraud.
See also: HIPAA Compliant Email: The Definitive Guide
A "noindex" code is a directive added to the source code of a webpage that instructs search engines not to include that page in their search results. When a search engine like Google or Bing encounters this code, it processes the instruction and ensures that the page does not appear in its index. As a result, the webpage becomes invisible in search results, even though it remains accessible if you know the direct URL.
The Change Healthcare data breach exposed sensitive information belonging to over 100 million individuals. The stolen data likely included personal details (names, addresses, Social Security numbers), medical records, billing information, and financial data. This massive breach, linked to a ransomware attack, has raised concerns about privacy and security, with affected individuals urged to monitor their accounts for fraud or unauthorized activity.
Those impacted by the breach are at increased risk of identity theft, fraud, and misuse of their sensitive health and financial information.