Nebraska Attorney General Mike Hilgers is the first state Attorney General to take legal action against Change Healthcare because of the ransomware attack it encountered on February 11, 2024. A BlackCat/ALPHV affiliate breached Change Healthcare’s network, then moved laterally inside the system and stole data for nine days before using ransomware for file encryption. Change Healthcare paid a $22 million ransom to stop the exposure of stolen data. However, the ransomware group scammed Change Healthcare and exposed the stolen information.
The attack stole the personal, medical, and financial data of approximately 100 million people, including the sensitive information of about 575,000 Nebraska residents. The stolen information included names, Social Security numbers, contact details, driver’s license numbers, medical data, insurance data, and billing details.
The ransomware affiliate accessed the system using a low-level customer support employee’s username and password, which AG Hilgers stated was published on a Telegram group chat reputed for selling stolen data. The credentials made it possible for the ransomware affiliate to sign in through a Citrix remote access service that didn’t have multifactor authentication. The attacker created privileged admin accounts, extracted sensitive information, and deployed ransomware unnoticed. The attack was just discovered upon file encryption, blocking access.
Attorney General Hilgers stated that healthcare organizations, which include critical access hospitals located in non-urban areas, were unfairly compelled to take in financial pain, driving major cash flow problems and, in some instances, slowed services. Change Healthcare also woefully ignored the job of notifying Nebraskans, robbing them of the chance to get ready for potential scams and fraud. Therefore, Change Healthcare is being sued to make it accountable.
On December 16, 2024, AG Hilgers filed a lawsuit in the District Court of Lancaster County, Nebraska with the defendants Optum Inc., Change Healthcare Inc., and their parent firm, UnitedHealth Group Incorporated (UHG). Allegedly, they failed to employ standard security procedures and Change Healthcare’s security practices made the cyberattack worse and caused substantial problems for Nebraska residents.
The lawsuit claims the cybersecurity breakdowns violated consumer protection and data security regulations of Nebraska. Those failures involved obsolete and poorly separated IT systems, lacking multifactor authentication, and an inability to segregate backup systems from the main system, meaning the hacker could deactivate the two. The attack compelled a complete shutdown of Change Healthcare’s network, which was counted upon by doctors’ offices, pharmacies, and hospitals.
Attorney General Hilgers also alleges an insufficient response to the cyberattack and data breach. The attack was not noticed for 9 days, then Change Healthcare took 5 months to begin sending notification letters to the people whose data were stolen. The notification process is continuing, though the inquiry and notification processes are already in the final phases.
A medical marketplace must have a trusted medical payment system. It needs companies who are dependable, and do all it takes to secure Nebraska’s medical data and who send proper notification to Nebraskans in case of a data breach. The legal action is meant to help reestablish trust in the network and take care of the harm experienced by Nebraskans and their healthcare providers.
Although Nebraska first filed a lawsuit, it might not be the last. Other State Attorneys General will also possibly take legal action against UHG and Change Healthcare. The HHS’ Office for Civil Rights is looking at the possibility of HIPAA Rules violation, and several class action lawsuits were filed because of the data breach.
Image credits; logo©ChangeHealthcare / Gunn, AdobeStock
