Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
US healthcare and insurance giant UnitedHealth hid its Change Healthcare data breach notice from many of those affected for months, according to new reports.
Last year, UnitedHealth subsidiary Change Healthcare, which is responsible for processing patient billing, suffered a data breach that resulted in major delays in processing bills and healthcare across the country.
While the company paid a ransom to the first group that claimed the incident, ALPHV, the threat actor, went dark and scammed its affiliate behind the breach out of the US$22 million payment.
Following this, the RansomHub gang claimed responsibility for the incident, initially seeking another ransomware payment. It eventually listed the data for sale.
UnitedHealth said it began notifying those affected in June last year. According to the latest update on its site, Change Healthcare said it had notified those impacted who had a postal address on file but added that it “may not have sufficient addresses for all potentially impacted individuals” and that the notice on its site was for everyone.
However, as originally reported by TechCrunch, it appears that Change Healthcare made an effort to keep the notice under wraps.
The publication’s analysis of the breach notice site’s source code revealed that the healthcare organisation used a “noindex” code, which tells search engines like Google to ignore it, meaning it was largely hidden from search results and thus very hard to find.
According to TechCrunch, the noindex code had been used on data breach notices since at least November 2024.
While it’s unclear as to why UnitedHealth and Change Healthcare made efforts to hide the data breach notice, the organisations have previously been criticised for their slow notifications.
In June 2024, UnitedHealth was slammed with the burden of notifying customers of affected healthcare organisations.
“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” said US Department of Health and Human Services Office for Civil Rights director Melanie Fontes Rainer in a statement
At the time, UnitedHealth said it would still be several months before it would be able to identify all those affected and begin notifying them, despite the attack occurring on 21 February, over three months ago, and US law stating that individual patients must be notified of a data breach within 60 days of discovery.
The breach reportedly affected 100 million Americans, according to the US Department of Health and Human Services, making the incident the largest healthcare data breach ever to hit the US.
According to previous releases, the data exposed may have included Social Security numbers, health insurance member IDs, treatment details, the diagnoses of patients, and health provider billing codes.
Be the first to hear the latest developments in the cyber industry.
