Nebraska’s Attorney General Mike Hilgers filed a lawsuit against Change Healthcare in relation to the ransomware attack it experienced on February 11, 2024. Change Healthcare had been targeted by a BlackCat/ALPHV ransomware group affiliate, who accessed the system, stole information for 9 days, and used ransomware to encrypt files. Change Healthcare paid the ransomware group $22 million to prevent the leakage of stolen information. Despite giving the ransom payment, the ransomware group still exposed the data stolen from Change Healthcare.
The ransomware attack affected the personal information, medical information, and financial information of roughly 100 million people, including the sensitive data of almost 575,000 Nebraska residents. The stolen data included names, contact information, Social Security numbers, driver’s license numbers, healthcare information, insurance records, and billing information.
The ransomware affiliate accessed the system using the credentials of a low-level customer service employee. AG Hilgers mentioned that the employee credentials were posted on a Telegram group chat where stolen information is often sold. The ransomware affiliate used the credentials to log into the system via a Citrix remote access service without an activated multifactor authentication. The threat actor made privileged administrator accounts, stole lots of sensitive data, and used ransomware undetected. The attack was only identified after files were encrypted and data access was blocked.
Attorney General Hilgers mentioned that healthcare providers, such as critical access hospitals in non-urban regions, suffered financial problems, had serious cash flow issues and, in certain cases, poor services. Change Healthcare overlooked the breach notification requirement, making Nebraskans more vulnerable to scams and fraud. Consequently, Change Healthcare is being held accountable and is facing a lawsuit.
AG Hilgers filed the lawsuit on December 16, 2024 in the District Court of Lancaster County, Nebraska against Change Healthcare Inc., its parent company UnitedHealth Group Incorporated (UHG), and Optum Inc. Purportedly, the defendants failed to use standard security measures. Change Healthcare’s poor security worsened the cyberattack and caused problems for residents in Nebraska.
The lawsuit states the cybersecurity issues violated the consumer protection and data security rules of Nebraska. Those problems involved outdated and poorly segregated IT systems, inadequate multifactor authentication, and a failure to separate backup systems from the primary system, which means the hacker can disable the two. The attack forced Change Healthcare to have a total system shutdown, which gave physicians’ offices, hospitals, and pharmacies problems.
Attorney General Hilgers claims that Change Healthcare failed to give a proper response to the ransomware attack and security breach. The company failed to identify the attack for 9 days, and Change Healthcare only sent notification letters to the affected individuals after 5 months. The notification process is still ongoing, but the inquiries will soon be finished.
A reliable medical payment system is a must in the medical marketplace. Companies must ensure the security of Nebraska residents’ medical data and notify them properly in the event of a data breach. The lawsuit is intended to help rebuild trust in the system and handle the harm encountered by Nebraskans and their medical companies.
Though Nebraska is the first to file a lawsuit, other State Attorneys General will likely file suit against Change Healthcare, and UHG. The HHS’ Office for Civil Rights is investigating the probability of HIPAA Rules violation, and multiple class action lawsuits have been filed as a result of the data breach.