Lincoln, Nebraska — Nebraska Attorney General Michael T. Hilgers has taken legal action against Change Healthcare, its parent company UnitedHealth Group, and its subsidiary Optum in response to a massive data breach. The breach compromised the personal and medical information of approximately 575,000 state residents, prompting the lawsuit filed in Lancaster County District Court this Tuesday. The action accuses the involved parties of not adhering to state consumer protection laws and mishandling the breach, thereby causing significant disruption across the healthcare sector.
The breach, which court documents refer to as a "preventable disaster," reportedly affected millions of patient records nationwide and disrupted critical healthcare services for weeks. As a company that processes billions of medical claims annually, Change Healthcare is a crucial component of the U.S. healthcare infrastructure.
In the wake of these revelations, a spokesperson for UnitedHealth has defended the company’s actions, stating to TechCrunch, “We believe this lawsuit is without merit and we intend to defend ourselves vigorously." They also mentioned that the analysis of the compromised data by Change Healthcare is nearing completion.
The breach was initiated on February 11, 2024, through the exploitation of a low-level employee’s login credentials that were shared in a Telegram group notorious for trading stolen information. This led to hackers infiltrating Change Healthcare’s systems, where they set up administrative accounts and deployed malware. Over nine days, substantial amounts of sensitive data such as Social Security numbers, financial details, and health records were stolen.
The intrusion went unnoticed until February 21, when ransomware group BlackCat encrypted Change Healthcare’s systems, compelling the company to halt operations. This disruption had far-reaching effects, stalling the U.S. healthcare system as hospitals, pharmacies, and clinics were rendered incapable of processing insurance claims or accessing crucial patient data.
The lawsuit highlights significant financial and operational burdens placed on healthcare providers. Large healthcare systems reportedly faced losses amounting to millions of dollars daily, while smaller, rural hospitals—vital to Nebraska’s healthcare framework—faced severe operational challenges. The suit also claims that patients suffered delayed treatments, prescription denials, and that scammers exploited the situation by impersonating healthcare professionals.
Alleged shortcomings in cybersecurity practices at Change Healthcare are a focal point of the litigation. The complaint points out the use of outdated technology and lack of multi-factor authentication and adequate data segmentation within their systems. Despite these vulnerabilities, UnitedHealth Group, which acquired Change Healthcare in 2022, reportedly knew about these issues, which were noted in congressional testimony by UHG’s CEO about the reliance on legacy systems and physical servers.
Further aggravating the situation, Change Healthcare allegedly delayed notifying those affected, with some individuals remaining uninformed months afterward. The lawsuit claims this delay, which lasted until late July following pressure from the Attorney General, contravened Nebraska’s laws requiring the prompt notification of data breaches.
Nebraska’s healthcare providers, particularly its 62 critical access hospitals, have suffered disproportionally, with some having to rely on cash advances or drains on reserve funds to maintain operations.
As this legal case progresses, it could potentially set a precedent for how states handle significant cybersecurity failures within critical industries. The outcome of this lawsuit may also influence discussions on data security within healthcare and corporate responsibility post-breach.
The Nebraska Attorney General’s Office has called for healthcare providers in the state who suspect they were affected by the cyberattack to come forward by contacting them through the website ProtectTheGoodLife.Nebraska.gov.
This article was automatically generated by OpenAI, and the people, facts, circumstances, and story mentioned may not be accurate. For corrections, retractions, or to request article removal, please email [email protected].