Nebraska has become the first state to file a lawsuit against Tennessee-based Change Healthcare following a major data breach in February that compromised the personal and medical information of at least 575,000 Nebraskans. Nationally, the breach affected 100 million people—nearly a third of the U.S. population—after a low-level employee’s login credentials were hacked, exposing sensitive data.
Attorney General Mike Hilgers announced the lawsuit on Monday, accusing the company of negligence in data security and delays in notifying affected individuals. Hilgers described the breach as one of the largest in modern history, pointing out that the company allowed a low-level employee access to a full data set and failed to implement basic security measures like two-factor authentication.
The attack was carried out by the BlackCat ransomware group, which gained nine days of unrestricted access to the system, extracting vast amounts of sensitive information. Hilgers warned that once such data is leaked onto the dark web, it cannot be retrieved.
The lawsuit, filed in Lancaster County District Court, targets Change Healthcare, its parent company UnitedHealth Group, and its subsidiary Optum. It alleges violations of Nebraska’s consumer protection and financial data security laws, as well as deceptive trade practices and potential breaches of federal health privacy standards. The state is seeking restitution for Nebraskans and potential fines of up to $2,000 per violation.
Hilgers emphasized the importance of stronger security measures, stating, “This lawsuit sends a clear message: companies handling customer data must prioritize robust security systems.” He also criticized the company for its delayed response, saying Nebraska clients only began receiving notifications nine months after the breach.
UnitedHealth CEO Andrew Witty testified earlier this year that the company paid a $22 million ransom to hackers and acknowledged that Change Healthcare was using outdated technology during the attack. The breach has already caused financial strain for healthcare providers like Bryan Health in Lincoln and rural hospitals across Nebraska.
The stolen data includes medical records, diagnoses, test results, addresses, and treatment histories, which could be used for scams, blackmail, or harassment. Hilgers urged Nebraskans to be vigilant about potential scams and verify any suspicious medical billing requests. Concerns can be reported to the Attorney General’s consumer protection hotline at 402-471-2682 or toll-free at 800-727-6432.
Comments