Nebraska sues Change Healthcare over massive data breach impacting 575,000 residents

Nebraska Attorney General Mike Hilgers announced Monday that the state has filed a lawsuit against Change Healthcare, UnitedHealth Group, and Optum following a data breach in February 2024 that exposed the sensitive information and medical records of at least 575,000 Nebraskans. The breach, attributed to the BlackCat ransomware group, is part of a larger incident that compromised data from approximately 100 million Americans.

Hilgers criticized the Nashville-based Change Healthcare for its inadequate data protection measures, describing the breach as one of the largest in modern history. The lawsuit alleges violations of Nebraska’s financial data protection, consumer protection, and deceptive trade practices laws, as well as possible breaches of federal health privacy regulations. Each violation under Nebraska’s consumer protection law could result in fines of up to $2,000.

The BlackCat ransomware group reportedly had nine days of unrestricted access to Change Healthcare’s systems, during which it extracted medical records, personal identifiers, and financial details. Hilgers condemned the company for allowing low-level employees access to such sensitive information without adequate safeguards like multi-factor authentication.

“The scale of this breach and the company’s negligence in protecting personal information are unacceptable,” Hilgers said during a press conference. “Once data is on the dark web, you can’t put it back. This breach has left Nebraskans vulnerable to scams, fraud, and potential harassment.” The stolen data includes names, addresses, phone numbers, medical histories, test results, diagnoses, and prescriptions. This information, Hilgers warned, could be weaponized for scams, extortion, or blackmail.

Hilgers noted that some rural hospitals in Nebraska have faced financial strain due to the breach, further complicating their operations. He singled out Bryan Health in Lincoln, which began notifying patients of the breach last spring. Despite the breach being discovered in February, Change Healthcare allegedly delayed notifying affected individuals until May, following pressure from the Attorney General’s office. Notifications continued to trickle out even months later, leaving consumers ill-equipped to address potential threats.

The lawsuit, filed in Lancaster County District Court, seeks restitution for Nebraskans impacted by the breach. Hilgers emphasized that this legal action should serve as a warning to other companies handling sensitive data to strengthen their security protocols.

Notably, UnitedHealth’s CEO Andrew Witty testified before Congress in May, acknowledging that the company paid hackers a $22 million ransom. He admitted that Change Healthcare was operating on outdated technology at the time of the breach, which was being updated.