Change Healthcare, a subsidiary of UnitedHealth Group, confirmed on Tuesday that it has “substantially” completed the notification process for individuals affected by a massive 2024 ransomware attack. The incident, which exposed the sensitive health data of over 100 million people, stands as the largest theft of medical information in U.S. history.
The Hidden Disclosure
Despite claiming to have notified impacted customers, the company took unusual measures to prevent the public from finding its official data breach notice. An investigation revealed that Change Healthcare embedded a “noindex” tag into the webpage’s source code. This specific instruction commands search engines to ignore the page, effectively rendering it invisible to users searching for information regarding the cyberattack.
Digital records indicate that this “noindex” directive was present on the site since at least November 20, 2024. UnitedHealth spokesperson Tyler Mason declined to explain why the company intentionally obscured the notice from search results.
A History of Delays and Criticism
The February 2024 ransomware attack crippled one of the largest patient billing processors in the United States, causing widespread outages and disrupting medical care for months. Change Healthcare admitted to paying a ransom to the hackers in an attempt to suppress the stolen data, eventually obtaining a copy of the files to begin the notification process.
However, the company faced intense scrutiny for its slow response, as it waited four months after obtaining the stolen files to begin alerting victims. This lack of transparency prompted state-level intervention, with California, Massachusetts, Nebraska, and New Hampshire issuing their own consumer alerts to protect residents from potential fraud.
Legal Repercussions
The fallout from the breach continues to escalate. In December 2024, the state of Nebraska initiated legal action against Change Healthcare, citing systemic security failures. Nebraska Attorney General Mike Hilgers argued that the company’s failure to provide adequate and timely notice left citizens significantly more vulnerable to the exploitation of their private financial and health information.
To date, UnitedHealth has not provided a precise figure regarding how many individuals were successfully notified, sticking only to the estimated 100 million figure previously shared with federal health authorities in October 2024. The Department of Health and Human Services’ Office for Civil Rights, which oversees such investigations, has yet to comment on the company’s tactics.