Nebraska Attorney General Mike Hilgers has filed a lawsuit in Lancaster County District Court against the medical payment processing company Change Healthcare, a subsidiary of United Health Group, over a recent data breach.
The Change Healthcare data breach began on February 11, 2024, when the username and password of a low-level customer support employee were posted in a Telegram group chat used for selling stolen credentials. Using these credentials, a hacker accessed Change’s systems through remote access. The hacker navigated Change’s systems undetected, creating privileged administrator accounts, installing malware, and exfiltrating terabytes of sensitive data.
The stolen data included Social Security numbers, driver’s license numbers, health insurance information, medical records, billing details, and more. Defendants failed to detect this activity until February 21, 2024, when the hacker deployed ransomware, crippling Change’s systems. In response, Change took its systems offline, effectively shutting down its operations.
Hilgers says the breach caused widespread disruption to Nebraska’s healthcare system, particularly affecting rural hospitals and critical access facilities. Patients faced delays in receiving medications and treatments, while their sensitive information remained vulnerable on the dark web.
Hilgers’ complaint seeks to hold Change accountable for their failures to implement basic security protections, which exacerbated the extent of the cyberattack. The Attorney General’s Office asks the Court to order the companies to implement stronger data security measures and to pay damages and penalties for the harm caused to Nebraska residents and healthcare providers.
The Attorney General’s Office believes at least hundreds of thousands of Nebraskans have been affected. Hilgers says Change failed to notify Nebraskans of the breach in a timely manner, with many only recently receiving notifications.
The Attorney General’s Office is also calling on Nebraska healthcare providers who may have been affected by this cyberattack to come forward. Providers can submit their contact to the Nebraska Attorney General’s Office at ProtectTheGoodLife.Nebraska.gov.