In a significant development, Change Healthcare, a leading health technology company owned by UnitedHealth, has announced the completion of notifications to affected individuals following a catastrophic ransomware attack. The incident, which occurred in February 2024, resulted in one of the largest breaches of medical data in U.S. history, affecting over 100 million people. The breach caused widespread disruptions in patient billing and healthcare services across the nation. Despite paying a ransom to prevent further data leaks, concerns have arisen regarding the transparency and accessibility of information about this breach.
Addressing the Aftermath: Notifications and Public Response
Change Healthcare has stated that it has largely completed notifying those impacted by the breach. The company has sent notifications to customers for whom they have postal addresses on file. However, due to incomplete address records, some individuals may not receive direct communication. This notification process began four months after obtaining the stolen data from hackers, drawing criticism for its delayed response. Several states, including California, Massachusetts, Nebraska, and New Hampshire, have taken proactive measures to alert residents about potential identity theft and fraud risks.
The delayed notification has raised concerns about the company's handling of sensitive information. Despite receiving the stolen data in August 2024, Change Healthcare only started notifying individuals in December, leaving many vulnerable to exploitation. The state of Nebraska, among others, has initiated legal action against the company, citing inadequate notice and security failures. This delay in public disclosure has heightened public scrutiny and underscored the importance of timely and transparent communication in such incidents.
Transparency Concerns: Hidden Webpage and Public Access
Further controversy surrounds the accessibility of information about the breach. TechCrunch discovered that Change Healthcare included hidden "noindex" code on its breach notice webpage, making it invisible to search engines. This move has made it more challenging for individuals searching online to find details about the breach. The reason behind hiding the page remains unclear, as UnitedHealth declined to comment on the matter. This lack of transparency has fueled additional criticism from both the public and regulatory bodies.
The inclusion of "noindex" code since November 2024 suggests an intentional effort to limit visibility. While the company claims the webpage provides essential information about the cyberattack, its hidden nature raises questions about accountability and trust. The Department of Health and Human Services’ Office for Civil Rights, responsible for investigating breaches involving protected health information, has not commented on this issue. This opacity has left many wondering about the true extent of the breach and the company's commitment to protecting patient data. The ongoing legal actions and public outcry highlight the critical need for greater transparency and accountability in handling such significant data breaches.