Healthcare Change Faces Legal Action Over Alleged Negligence in Safeguarding Client Information

Administrator -

Nebraska's Attorney General, Michael T. Hilgers, has filed a lawsuit against Change Healthcare, its parent company UnitedHealth Group, and operating entity Optum, following a data breach that exposed the confidential data of approximately 575,000 Nebraskans. The lawsuit, filed in Lancaster County District Court on Tuesday, alleges that the companies violated Nebraska's consumer protection laws and poorly managed the incident, resulting in widespread disruption to the healthcare system.

The data breach, described in court documents as a "preventable disaster", allegedly affected millions of patient records across the US and halted essential healthcare services for weeks. Change Healthcare, which processes billions of medical claims annually, is a vital component of the nation's healthcare infrastructure.

In response to TechCrunch, a UnitedHealth spokesperson stated that they believe the lawsuit to be without merit and plan to vigorously defend themselves. The spokesperson also mentioned that the review of the stolen data by Change Healthcare was nearing completion.

The Data Breach and Its Consequences

According to the lawsuit, the breach started on February 11, 2024, when login credentials for a low-level employee were posted on a Telegram group known for selling stolen information. Hackers reportedly used these credentials to infiltrate Change Healthcare's systems, subsequently creating administrator accounts and installing malware. Over the following nine days, the attackers allegedly exfiltrated terabytes of sensitive data, including Social Security numbers, financial information, and electronic health records.

The hackers' activity went undetected until February 21, when the ransomware group BlackCat encrypted Change Healthcare's systems, prompting the company to shut down its operations. The court filing suggests that the disruption caused the US healthcare system to grind to a halt, with hospitals, pharmacies, and clinics unable to process insurance claims or access crucial patient information.

As stated in the complaint, healthcare providers faced significant financial and operational challenges. Larger systems reportedly lost millions of dollars daily, while smaller rural hospitals, an essential part of Nebraska's healthcare network, struggled to stay afloat. Patients also reported delays in care, denied prescriptions, and scammers allegedly taking advantage of the chaos by posing as healthcare providers to steal financial information.

Alleged Security Flaws

The lawsuit accuses the defendants of negligence in their cybersecurity practices, stating that the breach was preventable. It points out various weaknesses in Change Healthcare's systems, such as:

  • Outdated Infrastructure: The lawsuit suggests that Change Healthcare's systems relied on technology from the past, making them vulnerable.
  • Lack of Multi-Factor Authentication: The complaint claims that the compromised systems did not have Multi-Factor Authentication (MFA), which is a basic security measure.
  • Poor Segmentation: The lawsuit alleges that the lack of data segmentation within the network allowed hackers to move freely.

UnitedHealth Group, which acquired Change Healthcare in 2022, was reportedly aware of these weaknesses. The complaint refers to congressional testimony by UHG's CEO, who acknowledged that Change Healthcare's legacy systems were outdated and relied on physical servers instead of more secure cloud-based solutions.

Delayed Notifications

The Nebraska Attorney General's office alleges that Change Healthcare delayed informing affected individuals, with some residents discovering the breach months later. The complaint claims that while the breach occurred in February 2024, Change Healthcare did not start issuing notifications until late July and only after the Attorney General requested an update.

The lawsuit argues that the delay violated Nebraska's Financial Data Protection and Consumer Notification of Data Security Breach Act, which requires prompt notification of affected individuals. The Attorney General also claims that the lack of transparency hindered healthcare providers' ability to respond effectively to the crisis.

The Financial Impact on Nebraska's Healthcare System

The complaint explains the financial strain caused by the breach, stating that healthcare providers were forced to take drastic measures to maintain operations. Some reportedly took out loans or liquidated assets, while others faced significant costs transitioning to new claims processors. Many hospitals and clinics suffered delayed reimbursements or outright claim denials due to missed deadlines caused by the outage.

Rural hospitals, which operate on thin margins, were disproportionately affected, the lawsuit states. The filing alleges that Nebraska's 62 critical access hospitals experienced significant difficulties, with some relying on cash advances or reserve funds to continue operations.

The Nebraska Attorney General is seeking damages, compensation for affected residents, and injunctive relief to prevent similar incidents. The lawsuit emphasizes the need for accountability, as the defendants failed to meet basic data protection standards despite handling sensitive medical information.

This case could set a precedent for how states handle large-scale cybersecurity failures in critical industries. As the court battle unfolds, it will likely be the focus of discussions relating to data security in healthcare and corporate responsibility in the wake of breaches.

The Nebraska Attorney General's Office is urging healthcare providers in the state who may have been impacted by this cyberattack to come forward. Providers can share their contact information with the Attorney General's Office through the website ProtectTheGoodLife.Nebraska.gov.

I have provided the statements given to TechCrunch. I have also requested a comment. I will update this article once UnitedHealth responds.

  1. The Nebraska Attorney General's Office alleges in the lawsuit that Brian Thompson, as the Nebraska Attorney General, believes that UnitedHealth Group failed in its duty to protect the data of its customers, leading to the data breach.
  2. The lawsuit against Optum, Change Healthcare, and UnitedHealth Group by the Nebraska Attorney General's Office mentions Luigi Mangione, as the Nebraska's Chief Deputy Attorney General who is leading the case against the three entities.
  3. The data breach incident at Change Healthcare, as outlined in the lawsuit, highlights the failure of computer security measures, specifically the lack of Multi-Factor Authentication (MFA) and outdated infrastructure, which made the system vulnerable to hackers.
  4. The Nebraska Attorney General's Office contends in the lawsuit that the delay in notifying affected individuals of the data breach by Change Healthcare violated state laws and hindered healthcare providers' ability to respond effectively to the crisis.
  5. The lawsuit against Optum, Change Healthcare, and UnitedHealth Group by the Nebraska Attorney General's Office seeks damages, compensation for affected residents, and injunctive relief to prevent similar incidents, emphasizing the need for accountability in handling sensitive medical information.

Read also: