Nebraska Attorney General Files Change Healthcare Lawsuit After Catastrophic Data Breach
Nebraska Attorney General Mike Hilgers announced a major lawsuit against Change Healthcare on December 16, 2024. The lawsuit, filed in Lancaster County District Court, alleges violations of Nebraska’s Consumer Protection and Data Security Laws.
The lawsuit stems from a significant data breach and subsequent operational shutdown. This incident exposed the personal and electronic protected health information (ePHI) of potentially hundreds of thousands, or even over a million, Nebraskans.
The Change Healthcare Lawsuit: Details of the Data Breach and Alleged Failures
The stolen data included extremely sensitive personal information. This included medical diagnoses, Social Security numbers, driver’s license numbers, health insurance information, medical records, and billing details.
The Attorney General’s office alleges that Change Healthcare’s failures significantly exacerbated the impact of the data breach. These failures include:
- Outdated and poorly segmented IT systems that failed to meet basic enterprise security standards.
- Inadequate response to the breach, with unauthorized access going undetected for over a week. This allowed hackers to establish themselves within Change’s systems, access personal data and protected health information, and install malware.
- Delays in notifying consumers of the breach. Affected Nebraskans only began receiving notifications nearly five months after the breach was discovered.
- Widespread operational disruptions. These disruptions halted prior authorizations for medical care and prescriptions, leaving patients without necessary medications and treatments.
- Significant financial and operational burdens placed on Nebraska healthcare providers, including hospitals, pharmacies, and doctors’ offices. This caused major cash flow issues and, in some cases, delayed services.
- Significant harm to Nebraska patients, including the potential for identity theft, financial fraud, and exploitation of personal health information.
The breach began on February 11, 2024. The username and password of a low-level customer support employee were posted in a Telegram group known for selling stolen credentials. A hacker used these credentials to access Change’s systems via Citrix, a remote access service.
For over nine days, the hacker remained undetected. They created privileged administrator accounts, installed malware, and exfiltrated terabytes of sensitive data. The hacker’s actions were only detected on February 21, 2024, when ransomware was deployed, crippling Change’s systems.
Change Healthcare’s response was to take its systems offline. This effectively shut down its operations, further exacerbating the harm caused by the breach.
The widespread disruption significantly affected Nebraska’s healthcare system. Rural hospitals and critical access facilities, already operating on thin margins, were particularly hard hit. Providers faced delays in receiving payments for insurance claims and incurred significant costs switching to new transaction clearinghouses. Patients experienced delays in receiving medications and treatments.
The Attorney General’s Response and the Change Healthcare Lawsuit’s Objectives
Attorney General Hilgers emphasized the severity of the situation: “This data breach is historic. Not only because it compromised the most sensitive privacy and financial data of Nebraskans, but also because it shut down the payment and claim processing systems that form a significant part of the backbone of the medical payment processing industry.”
He further stated: “Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We’re filing this suit to hold Change accountable.”
The lawsuit seeks to hold Change Healthcare accountable for its failures. It aims to ensure stronger data security measures are implemented and to secure damages and penalties for the harm caused to Nebraska residents and healthcare providers.
The Attorney General’s Office is urging Nebraska healthcare providers affected by the cyberattack to come forward. They can submit their contact information to the Nebraska Attorney General’s Office at ProtectTheGoodLife.Nebraska.gov.
Attorney General Hilgers concluded: “A functioning medical marketplace needs to have a trustworthy medical payments backbone. It requires companies who do what they say they will do, and do everything possible to protect Nebraska’s health information and who provide proper notice to Nebraskans when their data is breached. This suit is intended to help restore trust in our system and remedy the harm suffered by Nebraskans and their medical providers.”
The Change Healthcare lawsuit is a significant development in the ongoing effort to address data security failures in the healthcare industry.
