Nebraska becomes first state to sue Change Healthcare over data breach
Nebraska is suing Change Healthcare and its parent company, UnitedHealth Group, over a February data breach that affected 100 million Americans, state Attorney General Mike Hilgers announced Monday.
Nebraska is the first state to file a claim related to the breach, which impacted approximately 575,000 residents.
The breach resulted from a single server that lacked multifactor authentication, UnitedHealth confirmed to the U.S. Senate in May. Hackers were able to phish credentials and deploy ransomware onto the Change Healthcare network, effectively shutting down medical claims reimbursement for much of the country.
Some portion of the stolen data, which contained the personal and medical information of roughly one-third of Americans, ended up for sale on the dark web.
Hilgers said he decided to sue because Change Healthcare was not only careless in a way that led to the breach but also failed to notify those impacted in a timely manner, increasing the risk of identity theft and fraud.
Notifications were not sent to patients until July.
According to Change Healthcare, the stolen data included provider details, patient names, prescription information, medical record numbers, health plan information, diagnoses, test results and medical images, along with care delivery and treatment details.
“We believe this lawsuit sends a clear message to other companies: If one of the biggest companies in the world doesn’t have multi-factor authentication or basic security in place, every other company handling customer data should be double-checking, triple-checking, and quadruple-checking their systems,” Hilgers said in a statement. He added that Change Healthcare was wrong to give a low-level employee security credentials that could be used to access all of its data.
UnitedHealth Group has yet to respond to the lawsuit. HealthExec has reached out for comment.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.