On Monday in Lincoln, Nebraska, Attorney General Mike Hilgers took a significant step by filing a lawsuit in Lancaster County District Court. This lawsuit is directed at Change Healthcare, a subsidiary of UnitedHealth Group. The allegations center around violations of Nebraska's Consumer Protection and Data Security Laws.

Data Breach and Its Consequences

The lawsuit stems from a national data breach that exposed the personal and electronic protected health information of a large number of Nebraskans. It is believed that at least 500,000 Nebraskans, if not over a million, had their sensitive data compromised. This data includes medical diagnoses, recommendations, prescriptions, and more. The subsequent operational shutdown disrupted critical healthcare services across the state.The failure of Change Healthcare to implement proper security measures is seen as exacerbating the data breach. Healthcare providers were left unable to deliver timely care, and Nebraskans' most sensitive information was at risk. Attorney General Hilgers emphasized the severity of the situation, stating that this data breach is historic. It not only compromised the privacy and financial data of Nebraskans but also shut down essential payment and claim processing systems.Healthcare providers, especially those in rural areas, have been unfairly burdened with financial pain. Major cash flow issues have arisen, and in some cases, services have been delayed. Additionally, Change Healthcare's failure to provide proper notice to Nebraskans deprived them of the opportunity to protect themselves from possible scams and fraud.

Details of the Breach

The data breach began when the username and password of a low-level customer support employee were posted in a Telegram group chat. A hacker then accessed Change's system through a remote access service and remained undetected for nine days. During this time, a significant amount of data was stolen, including Social Security numbers, driver's license numbers, health insurance information, medical records, and billing details.Change Healthcare only became aware of the activity on February 21, 2024, when the hacker deployed ransomware, crippling their systems. As a result, the company took its systems offline, effectively shutting down its operations. This caused widespread disruption to Nebraska's healthcare system, particularly affecting rural hospitals and critical access facilities.

Legal Actions and Remedies

The Nebraska Attorney General's Office became involved in March 2024 and worked with the Consumer Protection Division to file this lawsuit. The complaint seeks to hold Change Healthcare accountable for its failures. It asks the Court to order the company to implement stronger data security measures and to pay damages and penalties for the harm caused to Nebraska residents and healthcare providers.Attorney General Hilgers advises that anyone affected by the breach should be cautious of calls about medical bills, as they are likely to be scams. He also calls on Nebraska healthcare providers who may have been affected by the cyberattack to come forward and submit their contact information to the Nebraska Attorney General's Office.In conclusion, a functioning medical marketplace requires a trustworthy medical payments backbone. Companies must fulfill their obligations and take every possible measure to protect Nebraska's health information and provide proper notice when data is breached. This lawsuit is aimed at restoring trust in the system and remedying the harm suffered by Nebraskans and their medical providers.