In a 29-page lawsuit filed Monday morning in Lancaster County District Court, lawyers in Attorney General Mike Hilgers' office accused Change Healthcare and two co-defendants of violating the state's consumer protection and financial data security laws by failing to safeguard Nebraskans' confidential information.
The lawsuit, which Hilgers unveiled at a news conference Monday at the Capitol, centers around a February data breach in which hackers used "a low-level, customer support employee’s "login credentials to gain "undetected and unimpeded access" to a vast amount of sensitive customer data, Hilgers' office alleged in the complaint.
With access that for nine days went undetected by Change Healthcare and its parent company, UnitedHealth Group, hackers with the BlackCat ransomware group stole private information — including Social Security numbers, medical diagnoses and test results and financial account details — from tens of millions of patients, according to the lawsuit.
The data theft ensnared roughly 100 million patients across the U.S. — nearly 30% of the country — and likely affected at least 575,000 Nebraskans, Hilgers' office alleged in the lawsuit. It is believed to be the largest-ever data breach in the United States.
Hilgers accused the companies, which process roughly half of all medical claims in the U.S. and pull in $370 billion in revenue each year, of violating their own data security policies that should have prevented the breach and misrepresenting the strength of their data security practices to the public.
The state also accused Change Healthcare of being slow to notify customers that their data may have been compromised and "remains accessible on the dark web." Hilgers' office issued a consumer alert in May notifying Nebraskans of the breach and noting the provider hadn't yet done so.
In the lawsuit, his office alleged Change Healthcare still hadn't notified customers of the data breach as of late July. At Monday's news conference, Hilgers said some Nebraskans had received mailed notices last week — 10 months after the breach.
Hilgers said the conglomerate's failures to prevent, detect and notify consumers of the the breach halted cash flow for state health care providers and put Nebraskans at risk of identify theft and fraud.
"If you don't follow these rules, you've got to provide notice. If you don't do these things, then states or others can hold you accountable," Hilgers told reporters Monday. "And that's what we're looking to do."
"I mean, this is one of the biggest companies in the world," he added. "If they don't have two-factor authentication — I think any other company out there that handles customer data like this should be double-checking, triple-checking, quadruple-checking their systems to ensure that all the things that they think should be in place are actually in place."
A spokeswoman for Change Healthcare did not immediately return an email seeking comment Monday.
Hilgers' office is seeking a jury trial to litigate the lawsuit, which aims to force the company to pay civil penalties and direct damages to each Nebraskan affected by the breach.
Jeremy Nordquist , the president of the Nebraska Hospital Association, praised Hilgers' office's "efforts to hold these companies accountable to their legal obligation to keep health information private."
"This historic cybersecurity breach delayed care to Nebraskans and created additional burdens on our health care providers,” Nordquist said in a statement Monday afternoon, calling on lawmakers to "take action to ensure no company ever has this much power again to disrupt our health care system.”
Nebraska's Republican attorney general has repeatedly turned to the state's consumer protection laws in his initial two years in office to take on perceived bad actors in court, including companies as large as the social media giant TikTok and small-scale THC storefronts across Nebraska.
At Monday's news conference, Hilgers said he would prefer to "never have to sue any of them."
"We're not looking for targets," he said. "I'll say that we're not looking to just sue a bunch. But I will say — and I promise Nebraskans — that we will stand up for Nebraskans and defend them. And in these types of cases, almost the only entity that's strong enough to stand up to these big companies are state AGs."
©2024 Lincoln Journal Star, Distributed by Tribune Content Agency, LLC.
