Nebraska Attorney General Michael T. Hilgers has initiated a significant legal action against Change Healthcare, its parent company UnitedHealth Group, and its operating entity Optum following a substantial data breach that exposed the personal and medical information of approximately 575,000 Nebraskans. The lawsuit, filed in Lancaster County District Court on Tuesday, alleges violations of state consumer protection laws and claims that the companies mishandled the breach, resulting in severe disruptions to the healthcare system.
The breach, described in court documents as a “preventable disaster,” reportedly compromised millions of patient records nationwide and caused critical healthcare services to be halted for weeks. Change Healthcare is a vital player in the U.S. healthcare landscape, processing billions of medical claims annually. The ramifications of this incident have raised alarms about the integrity of patient data security within such a key component of the healthcare infrastructure.
In response to the lawsuit, a spokesperson for UnitedHealth stated, “We believe this lawsuit is without merit and we intend to defend ourselves vigorously.” They also noted that the review of the compromised data by Change Healthcare is nearing completion.
According to the lawsuit, the breach began on February 11, 2024, when login credentials belonging to a low-level employee were shared in a Telegram group notorious for selling stolen information. Hackers exploited these credentials to infiltrate Change Healthcare’s systems, creating unauthorized administrator accounts and deploying malware. Over nine days, attackers allegedly exfiltrated terabytes of sensitive data, including Social Security numbers, financial information, and electronic health records.
The attackers remained undetected until February 21 when the ransomware group BlackCat encrypted Change Healthcare’s systems, forcing the company to take its operations offline. This disruption severely impacted hospitals, pharmacies, and clinics across the nation, preventing them from processing insurance claims or accessing essential patient information.
The lawsuit outlines significant financial and operational challenges faced by healthcare providers as a result of the breach. Larger healthcare systems reportedly lost millions of dollars daily due to halted operations. Smaller rural hospitals—integral to Nebraska’s healthcare network—struggled to maintain services amid ongoing financial strain. Patients experienced delays in care and denied prescriptions during this tumultuous period.
The complaint highlights how scammers exploited the situation by impersonating healthcare providers to steal financial information from vulnerable patients.
The lawsuit accuses Change Healthcare and its affiliates of negligence regarding their cybersecurity practices. Key allegations include:
Outdated Infrastructure: The systems reportedly relied on decades-old technology.
Lack of Multi-Factor Authentication (MFA): The compromised systems lacked basic security measures such as MFA.
Poor Data Segmentation: A lack of proper segmentation allowed hackers to navigate freely within the network.
UnitedHealth Group’s acquisition of Change Healthcare in 2022 allegedly did not address these vulnerabilities adequately. Testimony from UHG’s CEO acknowledged that Change Healthcare’s legacy systems were outdated and reliant on physical servers rather than more secure cloud-based solutions.
The Nebraska Attorney General’s office claims that Change Healthcare failed to notify affected individuals promptly. While the breach occurred in February 2024, notifications were not issued until late July—only after the Attorney General requested an update. This delay allegedly violated Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act, which mandates timely notification for affected individuals.
The lack of transparency hindered healthcare providers’ ability to respond effectively to the crisis and protect their patients.
The complaint details how healthcare providers were forced into drastic measures to sustain operations post-breach. Some took out loans or liquidated assets while others incurred substantial costs transitioning to new claims processors. Rural hospitals faced particularly severe consequences due to their already limited financial margins.
Nebraska’s 62 critical access hospitals were disproportionately affected; many relied on cash advances or reserve funds just to continue operating amidst ongoing challenges stemming from the data breach.
As this lawsuit progresses through the courts, it raises critical questions about data security practices within major healthcare organizations and their responsibilities towards consumers. The outcome may have far-reaching implications for how healthcare entities manage sensitive patient data and respond to breaches in an increasingly digital age.
In summary, this case underscores the urgent need for robust cybersecurity measures within healthcare systems and highlights potential legal ramifications for organizations failing to protect consumer data adequately.
Read more: