Nebraska Attorney General Mike Hilgers has taken a significant step by suing Change Healthcare due to a data breach that exposed personal information of about a million Nebraskans earlier this year. After a meticulous months-long investigation, the AG's office filed a lawsuit on Tuesday in Lancaster County District Court, accusing the company of violating Nebraska's consumer protection and data security laws. The breach had far-reaching consequences, not only exposing patients' private information but also disrupting healthcare services statewide.

Impact on Healthcare Providers and Patients

The nine-day data breach, which began on February 11 after a "low-level customer support employee's" username and password was posted on a Telegram group chat, led to widespread chaos. The cyberattack went undetected for 10 days, during which a hacker logged in via Citrix and established privileged administrator accounts, installing malware and exfiltrating terabytes of sensitive data. When the breach was discovered on February 21, ransomware was deployed, crippling Change Healthcare's systems. Compromised data included security numbers, driver's license numbers, health insurance information, medical records, and billing details.This caused significant disruption to Nebraska's healthcare system, especially for rural hospitals and critical access facilities operating on thin margins. Providers had to deliver care without receiving payment for insurance claims, while others incurred costs in switching to new transaction clearinghouses. Patients faced delays in receiving medications and treatments, and their sensitive information remained vulnerable on the dark web.

Systematic Failures by Change Healthcare

Change Healthcare was found to have several systemic failures. Their outdated and poorly segmented IT systems failed to meet basic enterprise security standards. Their response to the breach was inadequate, with the failure to detect unauthorized access for over a week, allowing hackers to establish themselves unnoticed inside the systems and access personal and protected health information. There were also delays in notifying consumers, with affected Nebraskans only starting to receive notifications nearly five months after the breach was discovered. Widespread operational disruptions halted prior authorizations for medical care and prescriptions, leaving patients without necessary medications and treatments. Healthcare providers, such as Nebraska hospitals, pharmacies, and doctors' offices, bore significant financial and operational burdens. And the harm to Nebraska patients was substantial, including the potential for identity theft, financial fraud, and exploitation of personal health information.Hilgers emphasized the severity of the data breach, stating, "This data breach is historic. Not only did it compromise the most sensitive privacy and financial data of Nebraskans, but it also shut down the payment and claim processing systems that form a significant part of the medical payment processing industry. Healthcare providers, including critical access hospitals in rural areas, have been unfairly forced to absorb financial pain, causing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We're filing this suit to hold Change accountable."His office is asking Nebraska healthcare providers who may have been affected by the February cyberattack on Change Healthcare to submit their contact information to the Nebraska Attorney General's Office at ProtectTheGoodLife.Nebraska.gov.