Change Healthcare, a leading healthtech company, has announced that it has "substantially" completed notifying individuals affected by a massive ransomware attack that exposed sensitive health data of over 100 million people. The attack, which occurred in February 2024, resulted in months-long outages that disrupted care across the U.S. healthcare system and became the largest known theft of medical data in U.S. history.

The company paid the hackers a ransom to prevent further publication of the stolen data and obtained a copy of the stolen data to begin notifying affected individuals. However, Change Healthcare's notification process has been criticized for being slow, with the company only starting to notify individuals four months after receiving the stolen files.

In an update to its data breach notice on its website, Change Healthcare stated that it has notified its impacted customers for whom it has a postal address on file. However, the company acknowledged that it may not have sufficient addresses for all potentially impacted individuals, prompting the website notice to provide customers and individuals with information about the criminal cyberattack.

Despite the update, a review of the breach notice's web page source code reveals that Change Healthcare included hidden "noindex" code on the notice, which tells search engines to ignore the web page. This makes it more difficult for anyone searching the web for the notice to find it in search results. The code has been present on the notice since at least November 20, 2024.

The reason behind Change Healthcare's decision to hide the page from search engines remains unclear. UnitedHealth spokesperson Tyler Mason declined to comment on the matter, and the company did not provide a specific number of individuals notified beyond the estimated 100 million number shared with the U.S. government's health department in October 2024.

The Department of Health and Human Services' Office for Civil Rights, which oversees federal investigations of data breaches involving protected health information, did not respond to a request for comment on the matter. The agency is likely to be monitoring the situation closely, given the massive scale of the breach and the potential risks to affected individuals.

Change Healthcare's handling of the breach has drawn criticism from several U.S. states, including California, Massachusetts, Nebraska, and New Hampshire, which have intervened by notifying residents to stay alert to identity theft and fraud following the data breach. In December 2024, Nebraska brought legal action against Change Healthcare for a string of security failings that led to the breach.

The state's attorney general, Mike Hilgers, expressed concerns that Change Healthcare's lack of adequate notice to affected individuals left the state's citizens "more vulnerable to exploitation of the sensitive personal financial, health, and identifying information." The legal action and criticism from states highlight the need for healthcare companies to prioritize transparency and timely notification in the event of a data breach.

The incident serves as a stark reminder of the importance of robust cybersecurity measures in the healthcare industry, where sensitive patient data is at risk. As the industry continues to grapple with the challenges of protecting patient data, Change Healthcare's experience serves as a cautionary tale about the devastating consequences of a data breach and the need for swift and transparent communication in the aftermath.