UnitedHealth Conceals Change Healthcare Data Breach Notice for Months: What You Need to Know

Change Healthcare, a leading healthtech company owned by UnitedHealth, recently announced that it has “substantially” completed the process of notifying individuals affected by a significant data breach. This incident, which involved the loss of sensitive health data for more than 100 million people, was a result of a ransomware attack that occurred in February 2024.

Overview of the Change Healthcare Ransomware Attack

The February 2024 ransomware attack on Change Healthcare marked one of the most severe data breaches in U.S. history, disrupting patient billing services and healthcare operations nationwide. This incident not only impacted the company’s ability to process patient billing but also raised concerns regarding the security of personal health information.

Details of the Data Breach

According to reports, Change Healthcare took measures to mitigate the effects of the breach by paying a ransom to the hackers. In return, the company received a copy of the stolen data, which enabled them to begin notifying affected individuals.

• Ransom paid to hackers: Change Healthcare aimed to prevent further publication of the stolen data.
• Notifying affected individuals: The company has managed to notify customers for whom they have postal addresses on file.
• Data breach scale: Over 100 million individuals were potentially impacted, making it the largest theft of medical data in U.S. history.

Challenges with Notification and Transparency

Despite their efforts, Change Healthcare faced criticism for the delay in notifying affected individuals. The company only began this process four months after receiving the stolen data, raising concerns about their commitment to transparency.

Hidden Notification Page

Interestingly, Change Healthcare’s data breach notice was not easily accessible online due to the inclusion of a hidden noindex code in the webpage’s source code. This code instructs search engines to ignore the page, making it challenging for individuals searching for information about the breach to find it. This practice has been in effect since at least November 20, 2024.

State Responses and Legal Actions

The delayed notifications led several states, including California, Massachusetts, Nebraska, and New Hampshire, to take action. These states advised residents to remain vigilant against identity theft and fraud in light of the breach. In December 2024, Nebraska initiated legal proceedings against Change Healthcare, citing inadequate security measures that contributed to the breach.

The Attorney General of Nebraska, Mike Hilgers, expressed concerns about the potential exploitation of sensitive personal and financial information resulting from the breach.

Conclusion

As the situation unfolds, Change Healthcare continues to face scrutiny regarding their handling of this massive data breach. The implications of this incident highlight the urgent need for improved cybersecurity measures in the healthcare sector. For more information on data breach prevention and cybersecurity best practices, visit the HHS website.

For ongoing updates, stay tuned to our healthcare cybersecurity updates page.