Nebraska AG files lawsuit against Change Healthcare after ‘historic’ data breach
LINCOLN, Neb. (KOLN) – Nebraska Attorney General Mike Hilgers is suing Change Healthcare, along with UnitedHealth Group and Optum, for a data breach that exposed personal information for about a million Nebraskans earlier this year.
After a months-long investigation, the AG’s office filed a lawsuit Tuesday in Lancaster County District Court against the company, alleging violations of Nebraska’s consumer protection and data security laws and accusing Change Healthcare of practices that worsened the breach.
“The Attorney General’s Office asks the Court to order the companies to implement stronger data security measures and to pay damages and penalties for the harm caused to Nebraska residents and healthcare providers,” a Monday release from the AG’s office states.
In addition to exposing patients private information, Change Healthcare’s response — to shut down operations and take all systems offline — also disrupted healthcare services statewide, exacerbating the harm experienced by Nebraskans, Hilgers’ office said Monday.
The nine-day data breach was initiated Feb. 11 after the username and password of a “low-level customer support employee” was posted on a Telegram group chat known for selling stolen credentials, according to the AG’s news release on Monday.
The cyberattack wasn’t detected until 10 days later. During that time, a hacker had logged in via Citrix, a remote-access service, using those credentials, the release states.
“For over nine days, the hacker navigated Change’s systems undetected, creating privileged administrator accounts, installing malware, and exfiltrating terabytes of sensitive data,” according to the AG’s update.
The breach was discovered on Feb. 21, when the hacker deployed ransomware, crippling Change Healthcare’s systems. Compromised data included security numbers, driver’s license numbers, health insurance information, medical records, and billing details, the AG’s office said.
“The breach caused widespread disruption to Nebraska’s healthcare system, particularly affecting rural hospitals and critical access facilities operating on already thin margins. Providers were forced to deliver care without receiving payment for insurance claims, while others incurred significant costs switching to new transaction clearinghouses. Patients faced delays in receiving medications and treatments, while their sensitive information remained vulnerable on the dark web,” the AG’s release states.
Nebraska’s lawsuit highlights systematic failures by Change Healthcare, including:
- Outdated and poorly segmented IT systems that failed to meet basic enterprise security standards.
- Inadequate response to the breach, including the failure to detect unauthorized access for over a week, allowing hackers to establish themselves unnoticed inside Change’s systems. This allowed hackers to access personal data and protected health information.
- Delays in notifying consumers of the breach, with affected Nebraskans only beginning to receive notifications nearly five months after the breach was discovered.
- Widespread operational disruptions that halted prior authorizations for medical care and prescriptions, leaving patients without necessary medications and treatments.
- Financial and operational burdens placed on healthcare providers, such as Nebraska hospitals, pharmacies, and doctors’ offices.
- Significant harm to Nebraska patients, including the potential for identity theft, financial fraud, and exploitation of personal health information.
“This data breach is historic. Not only because it compromised the most sensitive privacy and financial data of Nebraskans, but also because it shut down the payment and claim processing systems that form a significant part of the backbone of the medical payment processing industry,” Hilgers said in Monday’s release. “Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We’re filing this suit to hold Change accountable.”
The Nebraska Hospital Association thanked Hilgers for taking legal action.
“This historic cybersecurity breach delayed care to Nebraskans and created additional burdens on our health care providers,” said Jeremy Nordquist, President of the Nebraska Hospital Association. “We need our policymakers to take action to ensure no company ever has this much power again to disrupt our health care system.”
His office is asking Nebraska healthcare providers who may have been affected by the February cyberattack on Change Healthcare to submit their contact to the Nebraska Attorney General’s Office at ProtectTheGoodLife.Nebraska.gov.
Read the lawsuit
Click here to subscribe to our 10/11 NOW daily digest and breaking news alerts delivered straight to your email inbox.
Copyright 2024 KOLN. All rights reserved.
link