Nebraska Attorney General Michael T. Hilgers has taken a significant step by filing a lawsuit against Change Healthcare, along with its parent company UnitedHealth Group and operating entity Optum. This legal action comes in the wake of a data breach that exposed the personal and medical information of an estimated 575,000 Nebraskans. The lawsuit was filed in Lancaster County District Court on Tuesday, alleging that these companies violated state consumer protection laws and mishandled the incident, leading to widespread disruption in the healthcare system.

Nebraska's Legal Battle Against Healthcare Data Breach

The Data Breach and Its Extent

The data breach, described in court documents as a "preventable disaster," is alleged to have compromised millions of patient records across the United States. Change Healthcare, which processes billions of medical claims annually and is a crucial link in the nation's healthcare infrastructure, was infiltrated. Hackers gained access through the posting of login credentials for a low-level employee in a Telegram group known for selling stolen information. Over the following nine days, they exfiltrated terabytes of sensitive data, including Social Security numbers, financial information, and electronic health records. The attackers' presence went undetected until February 21 when the ransomware group BlackCat encrypted Change Healthcare's systems, forcing the company to take its operations offline. This disruption brought the U.S. healthcare system to a standstill, with hospitals, pharmacies, and clinics unable to process insurance claims or access vital patient information. Healthcare providers faced significant financial and operational challenges. Larger systems reportedly lost millions of dollars per day, while smaller rural hospitals, which are critical to Nebraska's healthcare network, struggled to stay afloat. Patients also experienced delays in care, denied prescriptions, and scammers took advantage of the chaos by impersonating healthcare providers to steal financial information.

Alleged Security Failures

The lawsuit accuses the defendants of negligence in their cybersecurity practices, claiming that the breach was preventable. It highlights several alleged vulnerabilities in Change Healthcare's systems. Outdated infrastructure is one issue, as stated in the lawsuit, with the company's systems relying on decades-old technology. Another problem is the lack of multi-factor authentication. The complaint alleges that the compromised systems did not have this basic security measure in place. Poor segmentation also allowed hackers to move freely within the network, according to the lawsuit. UnitedHealth Group, which acquired Change Healthcare in 2022, was allegedly aware of these vulnerabilities. Congressional testimony from UHG's CEO acknowledged that Change Healthcare's legacy systems were outdated and relied on physical servers instead of more secure cloud-based solutions.

Delayed Notifications and Its Impact

The Nebraska Attorney General's office alleges that Change Healthcare delayed notifying affected individuals. Some residents are still unaware of the breach months later. The complaint claims that while the breach occurred in February 2024, Change Healthcare did not start issuing notifications until late July and only after being requested to do so by the Attorney General. This delay is argued to have violated Nebraska's Financial Data Protection and Consumer Notification of Data Security Breach Act, which requires prompt notification of affected individuals. The lack of transparency also hindered healthcare providers' ability to respond effectively to the crisis.

The Cost to Nebraska's Healthcare System

The complaint details the financial strain caused by the breach. Healthcare providers were forced to take drastic measures to maintain operations. Some reportedly took out loans or liquidated assets, while others incurred significant costs when transitioning to new claims processors. Many hospitals and clinics faced delayed reimbursements or outright claim denials due to missed deadlines caused by the outage. Rural hospitals, operating on slim margins, were particularly hard-hit. The filing alleges that Nebraska's 62 critical access hospitals suffered disproportionately, with some relying on cash advances or reserve funds to continue operations.

Legal Action and Broader Implications

The Nebraska Attorney General is seeking civil penalties, restitution for affected residents, and injunctive relief to prevent similar incidents. The lawsuit emphasizes the importance of accountability and argues that the defendants failed to meet basic data protection standards despite handling sensitive personal and medical information. This case could set a precedent for how states address large-scale cybersecurity failures in critical industries. As the legal battle unfolds, it will likely serve as a focal point for discussions around data security in healthcare and corporate responsibility in the aftermath of breaches. The Nebraska Attorney General's Office is urging healthcare providers in the state who may have been impacted by this cyberattack to come forward. Providers can share their contact information with the Attorney General's Office through the website ProtectTheGoodLife.Nebraska.gov. I have included the statements provided by UnitedHealth to TechCrunch and have requested comment. I will update this article when UnitedHealth responds.