Change Healthcare’s Data Breach Notice: A Case of Hidden Transparency
In a shocking revelation, it has come to light that Change Healthcare, a UnitedHealth-owned health tech company, hid its data breach notice from search engines for months. The company, which suffered a massive ransomware attack in February 2024, resulting in the theft of over 100 million people’s sensitive health data, included a “noindex” code on its breach notice webpage. This code instructed search engines to ignore the page, making it difficult for individuals to find the notice through online searches.
A Delayed and Limited Disclosure
Change Healthcare’s data breach notice was only made available on its website, and even then, it was not easily accessible. The company claimed to have “substantially” completed notifying affected individuals, but it is unclear how many people were actually informed. The breach notice was also limited in its scope, providing general information about the attack rather than specific details about the stolen data.
Criticism and Consequences
Change Healthcare’s handling of the data breach has been widely criticized. The company’s delay in notifying affected individuals, as well as its decision to hide the breach notice from search engines, has raised concerns about transparency and accountability. Several U.S. states, including California, Massachusetts, Nebraska, and New Hampshire, have intervened to notify residents about the breach and provide guidance on protecting themselves from identity theft and fraud.
A Lack of Transparency and Accountability
The incident highlights the need for greater transparency and accountability in the handling of data breaches. Change Healthcare’s decision to hide its breach notice from search engines is a clear example of a lack of transparency, and the company’s delayed notification of affected individuals raises concerns about accountability. As the healthcare industry continues to rely on sensitive patient data, it is essential that companies like Change Healthcare prioritize transparency and accountability in their handling of data breaches.
