In Lincoln, Nebraska made history on Monday by becoming one of the first states to take legal action against Tennessee-based Change Healthcare. This medical payments company was at the center of a data breach that exposed the personal information and medical records of at least 575,000 Nebraskans. Nationally, the U.S. Department of Health and Human Services estimated that a staggering 100 million people, nearly a third of the U.S. population, had their data stolen in that February breach due to a low-level employee's careless act of posting login credentials online.

Attorney General's Perspective

Nebraska Attorney General Mike Hilgers is leading the lawsuit, emphasizing the company's negligence in handling data and the slow pace of notifying affected individuals. He deems this hack as one of the "largest" in modern history. Hilgers pointed out that it was wrong for the company to allow a low-level employee access to a full data set and that no company should store such sensitive information on outdated technology that doesn't require two-factor authentication. He believes the company's management has violated legal responsibilities for protecting data.The BlackCat ransomware group, known for targeting large companies for bitcoin or other payments, has claimed credit for the hack. Hilgers stated that the group had nine days of unrestricted access to the system and retrieved a vast amount of data about Nebraskans and Americans. Once the information is on the dark web, it becomes extremely difficult to retrieve.His office sued Change Healthcare, UnitedHealth Group, and Optum for allegedly violating the state's financial data protection and consumer protection statutes. It also alleged violations of deceptive trade practices law and potential violations of federal health privacy law and health information technology protection standards. Each violation of the consumer protection law could cost the company up to $2,000, and fines are possible for data protection failures. Hilgers aims to seek restitution to make Nebraskans whole for their losses.

UnitedHealth Group's Involvement

UnitedHealth CEO Andrew Witty testified before the U.S. House Energy and Commerce Committee in May, revealing that the company paid hackers a $22 million ransom. He mentioned that Change Healthcare, which his group had acquired, was using older technology that was in the process of being upgraded. U.S. Rep. Cathy McMorris Rodgers, R-Wash., expressed concerns, stating that the companies' actions would likely serve as a case study in crisis mismanagement for decades to come.Many companies implement strict access controls to limit which employees have access to what data. Two-factor authentication provides an additional layer of security by verifying the identity of registered users trying to log in.

Impact on Providers and Patients

Change Healthcare is a payment processing company that plays a crucial role in ensuring medical providers get paid. Bryan Health in Lincoln is one such provider that has been affected by the breach. Hilgers mentioned that rural, critical access hospitals have lost money due to the breach, putting some in a cash-flow crunch.The company dragged its feet on legally required notification of Nebraska clients from February until the Attorney General's Office got more involved in May. Hilgers believes notifications should have been prompt and not required such extensive efforts.Nine months later, people are only starting to receive notices, but these do not empower Nebraskans to take action or be prepared. Hilgers emphasized the importance of being vigilant against potential scams related to the hack.The stolen data included medical records, telephone numbers, addresses, doctors, diagnoses, medicines, test results, images, and care and treatment histories. This sensitive information can be used to harass, blackmail, or extort money from people.Hilgers advised Nebraskans who receive calls seeking immediate payment for a medical procedure to take down the information and verify the authenticity of the call by looking up the real number for the involved company. He urged people to call the Attorney General's consumer protection hotline at 402-471-2682 or toll-free at 800-727-6432 if they have concerns about a possible scam.