Change Healthcare, a health technology company owned by UnitedHealth, lost sensitive health data of more than 100 million people in a ransomware attack last year. The company said on Tuesday it had "substantially" completed notifications of the massive data breach.

In February 2024, Change Healthcare, one of the largest patient billing organizations in the United States, was hit by a ransomware attack, causing a months-long service outage and disrupting care throughout the U.S. healthcare system. The data breach also became the largest known theft of medical data in U.S. history. Change Healthcare paid the hackers a ransom with the goal of preventing them from releasing more stolen data, and in exchange they obtained a copy of the stolen data to begin notifying the people whose information had been stolen.

Change Healthcare updated its data breach notice on its website on Tuesday, saying it had "notified affected customers" whose postal addresses the company had on file. The healthcare giant said it "may not have enough addresses to accommodate all potentially affected individuals" and that the website notification is to "provide customers and individuals with information about criminal cyberattacks."

But if you search the web for Change Healthcare data breach notification, you're unlikely to find this page in search engine results.

A TechCrunch review of the source code of the breach notification webpage revealed that Change Healthcare included hidden “noindex” code in the notification that told search engines to ignore the page, making it harder to find it in searches for anyone searching for the notification on the web result. Change Healthcare has been including the "noindex" code in its data breach notifications since at least November 20, 2024.

It's unclear why Change Healthcare hid the page from search engines. UnitedHealth spokesman Tyler Mason had no comment on why Change Healthcare included code that hid the data breach notification. When asked, the spokesperson could not provide a specific number of breaches that Change Healthcare has notified, other than an estimated number of 100 million shared with U.S. government health departments in October 2024.

A spokesman for the Department of Health and Human Services' Office for Civil Rights, which oversees federal investigations of data breaches involving protected health information, did not respond to a request for comment for this story.

Change Healthcare has been criticized for being slow to notify affected individuals of the breach - which it did not begin until four months after it received copies of the stolen documents. The delay in public disclosure prompted several U.S. states, including California, Massachusetts, Nebraska and New Hampshire, to intervene to notify residents to be wary of identity theft and fraud following the data breach.

In December 2024, the state of Nebraska filed legal action against Change Healthcare, alleging a series of security flaws that led to a data breach. The state's Attorney General, Mike Hilgers, said Change Healthcare's lack of adequate notification to affected individuals left the state's citizens "more vulnerable to the exploitation of sensitive personal financial, health and identity information."