When the ledger does a transaction where change is involved it generates a new address for the change each time. This is to obfuscate the transactions as much as possible.
You can verify you own the change address by downloading
https://iancoleman.github.io/bip39/ (preferably to an air gapped computer) and then while offline input your ledger seed and passphrase if used.
Then under 'Derivation Path' select BIP44 you can find your path in the Chrome app by clicking on the account then selecting ACCOUNT SETTINGS, under ADVANCED you will see the 'Root Path' mine was 44'/0'/0'. This will show you all the derived addresses that you may have used for receiving.
To look at the change addresses try adding a 1 in the External/Internal field. If the address it is trying to send output #2 is listed there then you are good to go knowing those funds are going back to your device.
Thanks for instructions, but I am pretty new to all this and half of what you said a way beyond me. Even if I somehow managed to translate and complete the steps I don't understand why only now after dealing with the Hashflare site did this situation occure. In all other transaction, all of which had "change" left over in my account, never was the transactions presented in such a way.