In a shocking revelation, Change Healthcare paid a ransom to hackers following the largest known theft of medical data in U.S. history. The breach, which occurred in February 2024 as a result of a ransomware attack, compromised the sensitive health data of over 100 million individuals, sending ripples across the U.S. healthcare system. The attack led to months-long outages that severely disrupted patient care nationwide. Despite the severity, Change Healthcare delayed informing affected individuals for four months after obtaining a copy of the stolen data through the ransom payment.
The breach initially went unnoticed by the public, largely due to Change Healthcare's decision to hide its data breach notice from search engines by using "noindex" code. This tactic was applied to the notice as early as November 20, 2024. As a result, the company faced considerable criticism for its sluggish response in notifying individuals about their potentially compromised data.
In response to the breach, several states, including California, Massachusetts, Nebraska, and New Hampshire, took measures to inform their residents about the potential risks of identity theft and fraud. They urged citizens to remain vigilant. Meanwhile, Nebraska initiated legal action against Change Healthcare in December 2024, citing security failings that contributed to the breach.
The company's delayed reaction and failure to promptly notify those affected drew ire from both individuals and regulatory bodies. It wasn't until months later that Change Healthcare began reaching out to those whose data had been compromised. The company has now "substantially" completed the notification process for individuals for whom it has postal addresses on file.
"Provide customers and individuals with information about the criminal cyberattack" – Change Healthcare
Despite these efforts, the damage had already been done. Many affected individuals felt left in the dark during a critical period when they could have taken steps to protect themselves from further harm. The states' intervention highlighted the gravity of the situation and emphasized the need for better communication and transparency from companies handling sensitive data.
Leave a Reply