In response to a data breach that revealed the personal and medical data of an estimated 575,000 Nebraskans, Attorney General Michael T. Hilgers of Nebraska has filed a lawsuit against Change Healthcare, its parent firm UnitedHealth Group, and its operational organization Optum. The corporations are accused of violating state consumer protection regulations and mishandling the situation, which caused extensive disruption to the healthcare system, according to the lawsuit, which was filed in Lancaster County District Court on Tuesday.
According to court filings, the hack, which was referred to as a “preventable disaster,” allegedly affected millions of patient records nationwide and caused weeks-long disruptions to vital healthcare services. Change Healthcare is a vital component of the country’s healthcare system, handling billions of medical claims every year.
A UnitedHealth representative told TechCrunch, “We think this lawsuit is without merit and we intend to defend ourselves vigorously.” and that Change Healthcare was “in its final stages” of reviewing the stolen data.
The Breach of Data and Its Repercussions
The lawsuit claims that the breach started on February 11, 2024, when a low-level employee’s login credentials were shared in a Telegram group that sells stolen data. According to reports, hackers installed malware and created administrator accounts on Change Healthcare’s systems using these credentials. Terabytes of private information, including bank details, electronic health records, and Social Security numbers, were purportedly stolen by the attackers over the course of the next nine days.
It wasn’t until February 21 that the ransomware organization BlackCat locked Change Healthcare’s systems, forcing the company to shut down its activities, that the attackers’ presence became apparent. According to the court filing, the disruption caused hospitals, pharmacies, and clinics to be unable to process insurance claims or obtain critical patient data, bringing the U.S. healthcare system to a complete halt.
Healthcare providers had major operational and financial difficulties, as mentioned in the lawsuit. Smaller rural hospitals, which are vital to Nebraska’s healthcare system, were struggling to survive, while larger institutions reportedly lost millions of dollars every day. Scammers allegedly used the turmoil by posing as healthcare practitioners in order to obtain financial information, and patients reportedly faced delays in care and prescription denials.
Supposed Security Vulnerabilities
The lawsuit claims that the breach was avoidable and charges the defendants with carelessness in their cybersecurity procedures. It draws attention to a number of purported weaknesses in Change Healthcare’s systems, such as:
- Older Infrastructure: Modernization According to the lawsuit, healthcare systems used technology that was decades old.
- Absence of multi-factor verification According to the complaint, a fundamental security feature called Multi-Factor Authentication, or MFA, was absent from the hacked computers.
- Inadequate segregation: According to the lawsuit, hackers were able to roam freely throughout the network because there was insufficient data segregation.
Allegedly, UnitedHealth Group was aware of these vulnerabilities when it purchased Change Healthcare in 2022. According to UHG’s CEO’s congressional testimony, which is included in the complaint, Change Healthcare’s legacy technologies were antiquated and depended on physical servers rather than safer cloud-based alternatives.
Postponed Alerts
Change Healthcare allegedly failed to tell impacted people of the breach for months, leaving some residents in the dark, according to the Nebraska Attorney General’s office. Although the breach happened in February 2024, according to the complaint, Change Healthcare didn’t start notifying people until late July, and then only after the Attorney General asked for an update.
According to the lawsuit, the delay was in violation of Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act, which mandates that impacted parties be notified as soon as possible. Additionally, according to the Attorney General, the lack of openness made it more difficult for healthcare practitioners to react to the situation in an efficient manner.
The Price to the Healthcare System in Nebraska
According to the complaint, healthcare providers had to take extreme measures to continue operating, which resulted in significant financial burden. According to reports, some borrowed money or sold assets, while others had to pay hefty fees to switch to new claims processors. Due to missed deadlines brought on by the outage, some hospitals and clinics experienced either delayed payments or outright claim denials.
The lawsuit claims that hospitals in rural areas, which have narrow profit margins, were more severely impacted. According to the petition, 62 critical access hospitals in Nebraska suffered disproportionately, with some having to rely on reserve funds or cash advances to stay open.
Legal Action and Wider Consequences
In order to stop such occurrences, the Nebraska Attorney General is requesting injunctive relief, restitution for impacted citizens, and civil fines. The complaint highlights the significance of responsibility by claiming that, despite handling some of the most sensitive personal and medical data, the defendants did not adhere to fundamental data protection rules.
This case might establish a standard for how governments handle significant cybersecurity breaches in vital sectors. As the case progresses, it will probably become a central topic of conversation about healthcare data security and corporate accountability following breaches.
Healthcare professionals in the state who might have been affected by this incident are being encouraged to come forward by the Nebraska Attorney General’s Office. Through the website, providers can provide the Attorney General’s Office with their contact details.
