Nebraska becomes first state to sue Change Healthcare over data breach

Chad Van Alstin | | Health Exec | Legal News

Nebraska is suing Change Healthcare and its parent company, UnitedHealth Group, over a February data breach that affected 100 million Americans, state Attorney General Mike Hilgers announced Monday.

Nebraska is the first state to file a claim related to the breach, which impacted approximately 575,000 residents.

The breach resulted from a single server that lacked multifactor authentication, UnitedHealth confirmed to the U.S. Senate in May. Hackers were able to phish credentials and deploy ransomware onto the Change Healthcare network, effectively shutting down medical claims reimbursement for much of the country. 

Some portion of the stolen data, which contained the personal and medical information of roughly one-third of Americans, ended up for sale on the dark web.

Hilgers said he decided to sue because Change Healthcare was not only careless in a way that led to the breach but also failed to notify those impacted in a timely manner, increasing the risk of identity theft and fraud. 

Notifications were not sent to patients until July. 

According to Change Healthcare, the stolen data included provider details, patient names, prescription information, medical record numbers, health plan information, diagnoses, test results and medical images, along with care delivery and treatment details.

“We believe this lawsuit sends a clear message to other companies: If one of the biggest companies in the world doesn’t have multi-factor authentication or basic security in place, every other company handling customer data should be double-checking, triple-checking, and quadruple-checking their systems,” Hilgers said in a statement. He added that Change Healthcare was wrong to give a low-level employee security credentials that could be used to access all of its data.

UnitedHealth Group has yet to respond to the lawsuit. HealthExec has reached out for comment.

Related Articles on Change Healthcare:

Feds make it official: Change data breach was the largest in healthcare history, impacting 100M
State attorneys general send warnings of Change Healthcare breach, urge residents to respond
Emergency reimbursement for Change Healthcare breach ends in July
Q&A: Healthcare cybersecurity advocate fears damage from Change Healthcare breach has only begun
AMA says Change Healthcare breach is crippling independent practices
Chad Van Alstin Health Imaging Health Exec
Chad Van Alstin

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Related Content

Mangione charged with terrorism-related murder in UnitedHealth CEO killing
Bipartisan bills in Congress would force insurance companies, PBMs to sell pharmacies
Mangione charged with murder as 'manifesto' leaks online
UnitedHealth CEO defends company, plans to honor legacy of Brian Thompson
Suspect in murder of UnitedHealthcare CEO arrested in Pennsylvania
Murder of UnitedHealthcare CEO: Everything we know

Around the web

AI in Healthcare
Healthcare AI regulation needs nuance, balance: Research review

When regulating AI-equipped medical devices, the FDA might take a page from the Department of Transportation’s playbook for overseeing AI-equipped vehicles. These run the gamut from assisting human drivers to fully taking the wheel. 

Radiology Business
Pending radiology bills in Congress and predicting the Trump administration's impact on imaging

Kit Crancer, RBMA board member, speaks with Radiology Business about key legislative developments on the Hill that will affect the specialty. 

Cardiovascular Business
Medical device company cuts 70% of staff in push to meet Medtronic obligations

California-based Acutus Medical has said its ongoing agreement to manufacture and distribute left-heart access devices for Medtronic is the company's only source of revenue.