Nebraska Sues Change Health Care After Data Breach

Notice of Lawsuit Document

Photo: Hailshadow / iStock / Getty Images

Lincoln— Nebraska Attorney General Mike Hilgers is suing Change Healthcare alleging violations Consumer Protection and Data Security Laws.

 The complaint stems from a data breach and subsequent operational shutdown that exposed the personal and electronic protected health information of what the Attorney General’s Office believes to be at least hundreds of thousands of Nebraskans.

The data stolen includes some of the most sensitive information about a person, including information reflecting medical diagnoses. The shutdown also disrupted critical healthcare services across the state. The lawsuit claims that the defendants’ failure to implement proper security measures exacerbated the data breach, leaving healthcare providers unable to deliver timely care and placing Nebraskans’ most sensitive information at risk.

 

“This data breach is historic. Not only because it compromised the most sensitive privacy and financial data of Nebraskans, but also because it shut down the payment and claim processing systems that form a significant part of the backbone of the medical payment processing industry,” said Attorney General Hilgers. “Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We’re filing this suit to hold Change accountable.”

 

The Attorney General’s lawsuit highlights systematic failures by including:

 

  • Outdated and poorly segmented IT systems that failed to meet basic enterprise security standards.
  • Inadequate response to the breach, including the failure to detect unauthorized access for over a week, allowing hackers to establish themselves unnoticed inside Change’s systems. This allowed hackers to access personal data and protected health information.
  • Delays in notifying consumers of the breach, with affected Nebraskans only beginning to receive notifications nearly five months after the breach was discovered.
  • Widespread operational disruptions that halted prior authorizations for medical care and prescriptions, leaving patients without necessary medications and treatments.
  • Financial and operational burdens placed on healthcare providers, such as Nebraska hospitals, pharmacies, and doctors’ offices.
  • Significant harm to Nebraska patients, including the potential for identity theft, financial fraud, and exploitation of personal health information.

 

The Change Healthcare data breach began on February 11, 2024. An investigation determined that throughout nine days, the hacker navigated Change’s systems undetected, creating privileged administrator accounts, installing malware, and exfiltrating terabytes of sensitive data.

 

The Attorney General’s Office is also calling on Nebraska healthcare providers who may have been affected by this cyberattack to come forward. Providers can submit their contact to the Nebraska Attorney General’s Office at ProtectTheGoodLife.Nebraska.gov.

 

“A functioning medical marketplace needs to have a trustworthy medical payments backbone. It requires companies who do what they say they will do, and do everything possible to protect Nebraska’s health information and who provide proper notice to Nebraskans when their data is breached. This suit is intended to help restore trust in our system and remedy the harm suffered by Nebraskans and their medical providers.” said Attorney General Hilgers.

 

The Nebraska Hospital Association is reacting to the lawsuit:

“On behalf of our 92 member hospitals and health systems, I would like to thank Attorney General Hilgers for his efforts to hold these companies accountable to their legal obligation to keep health information private,” said Jeremy Nordquist, President of the Nebraska Hospital Association. “Cyber security is critical for health care and the recklessness shown by Change Healthcare in using outdated technology that did not even require basic two-factor authentication must be addressed.”

 


Sponsored Content

Sponsored Content