Nebraska Sues Change Healthcare Over Massive Data Breach

The state of Nebraska has initiated legal action against Change Healthcare, a prominent health technology company, following allegations of significant security deficiencies. These failings reportedly led to a substantial data breach impacting the sensitive health information of a minimum of 100 million Americans.

Details of the Lawsuit

Nebraska’s Attorney General, Mike Hilgers, filed a formal complaint this week asserting that Change Healthcare, a subsidiary of UnitedHealth, did not adequately implement necessary security protocols. This lack of protection, according to Hilgers, resulted in a data breach of “historic” proportions in both its scope and severity.

The lawsuit arises from disclosures made in October, revealing that over 100 million individuals had their confidential medical data compromised during a ransomware attack on Change Healthcare in February. The stolen data encompassed a wide range of personal details, including addresses and phone numbers, as well as critical health information like diagnoses, medications, and treatment plans. Financial and banking data was also exposed.

Security Failures Alleged

Hilgers’ complaint details that Change Healthcare’s “failures to implement basic security protections” significantly worsened the impact of the cyberattack. The attack is attributed to the ALPHV ransomware group, known for its Russian-speaking operatives.

Specifically, the complaint alleges that the company’s IT systems were not properly segmented, allowing hackers to move freely throughout the network. Furthermore, multi-factor authentication was not implemented, meaning systems could be accessed with only a username and password.

How the Breach Occurred

New information revealed in the complaint indicates that hackers initially gained access to Change Healthcare’s network using the credentials of a “low-level customer support employee.” These credentials were reportedly shared on a Telegram group specializing in the sale of compromised login information.

Despite possessing only a “basic, user-level” account without administrative privileges, the hackers were able to infiltrate the server hosting Change’s medication management application, SelectRX. From this point, they created accounts with elevated administrator access, granting them the ability to access and delete data.

“For over nine days, the hacker navigated Change’s systems undetected, creating privileged administrator accounts, installing malware, and exfiltrating terabytes of sensitive data,” the complaint states. The intrusion was only discovered when the hackers encrypted files, effectively locking the company out of its own systems.

Notification Delays and Impact on Residents

Hilgers is also criticizing Change Healthcare for its alleged delay in notifying individuals affected by the breach. He claims that at least 575,000 Nebraskans were impacted, and the state was forced to issue its own public notice due to the company’s failure to provide timely notification – a delay of approximately five months following the cyberattack.

“As of the date of this complaint, the State of Nebraska believes that Defendants have still failed to provide written notice to many affected Nebraskans of the breach, leaving citizens more vulnerable to exploitation of the sensitive personal financial, health, and identifying information,” the complaint emphasizes.

Seeking Damages and Relief

The Nebraska Attorney General is requesting a court order requiring Change Healthcare to pay damages for the harm inflicted upon Nebraska residents and healthcare providers. These providers were reportedly hindered in their ability to receive insurance claim payments, disrupting patient care.

The incident caused significant operational disruptions, resulting in patients being unable to access necessary medications and treatments.

Change Healthcare’s Response

UnitedHealth spokesperson Katherine Wojtecki responded to TechCrunch, stating: “We believe this lawsuit is without merit and we intend to defend ourselves vigorously.” The company also reiterated that its review of the stolen data is “in its final stages,” as previously communicated to TechCrunch in July.

Key Takeaways

Data Breach Scale: The breach impacted at least 100 million Americans, potentially more.
Security Lapses: Poor system segmentation and lack of multi-factor authentication were key vulnerabilities.
Notification Issues: Delays in notifying affected individuals exacerbated the risk of exploitation.
Legal Action: Nebraska is seeking damages and improved security practices from Change Healthcare.