Nebraska AG sues Change Healthcare, UnitedHealth for data theft after ransomware attack

Nebraska’s Attorney General has filed a lawsuit against Change Healthcare accusing the company of exposing the sensitive healthcare information of state residents and leaving healthcare providers unable to provide care following a ransomware attack in February. 

The 29-page filing alleges violations of Nebraska’s consumer protection and data security laws and says Change Healthcare — which is owned by UnitedHealth Group (UHG) — failed to implement proper security measures that exacerbated the data breach, disrupting critical healthcare services across the state.

“This data breach is historic. Not only because it compromised the most sensitive privacy and financial data of Nebraskans, but also because it shut down the payment and claim processing systems that form a significant part of the backbone of the medical payment processing industry,” said Attorney General Mike Hilgers. 

“Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We’re filing this suit to hold Change accountable.”

A spokesperson for UHG told Recorded Future News, “We believe this lawsuit is without merit and we intend to defend ourselves vigorously.”

The cyberattack on Change Healthcare is one of the most consequential ransomware attacks in U.S. history, exposing the sensitive healthcare information of about 100 million Americans and paralyzing the country’s healthcare industry for weeks. 

Change Healthcare acts as a clearinghouse, providing revenue and payment cycle management services that connect patients, providers, pharmacies and payers within the healthcare pipeline. 

The company processes about half of all medical claims in the U.S. for more than 900,000 doctors, 67,000 pharmacies, 5,500 hospitals and 600 laboratories. Hilgers’ lawsuit notes that Change Healthcare processes millions of claims each year for about 575,000 Nebraska. 

The ransomware attack forced UHG to shut down Change Healthcare’s processing services entirely, stopping millions of transactions in February and March. The lawsuit notes that prescriptions went unfilled and patient care was delayed due to disruptions from the attack.

“And scammers began contacting patients, posing as representatives of hospitals throughout Nebraska and asking for patients’ credit card numbers to issue supposed refunds,” the suit says.

“Providers bore the brunt of providing care without compensation for the duration of the system outage, and thereafter as backlogs were slowly cleared. One cybersecurity firm estimated that some larger health systems lost more than $100 million a day during the outage.”

The lawsuit notes that UHG still has not notified all affected Nebraskans and only released general notices after the attorney general requested information on the company’s efforts to provide such material.

The UHG spokesperson said the company is continuing to notify impacted customers “as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the investigation is still in its final stages.”

The company says it issued “substitute notification via the wire” — which they said is when a company puts out a press release on the wire for everyone to be made aware versus waiting for individual mailings.

“Most importantly, Change Healthcare is also in regular communication with the U.S. Department of Health and Human Services, Office for Civil Rights and other regulators regarding our notification process,” the company said. 

“We are committed to notifying potentially impacted individuals as quickly as possible.”

Nebraska said it is seeking civil penalties, restitution and wants the court to “order the companies to implement stronger data security measures.”

“A functioning medical marketplace needs to have a trustworthy medical payments backbone,” Hilgers said. 

“It requires companies who do what they say they will do, and do everything possible to protect Nebraska’s health information and who provide proper notice to Nebraskans when their data is breached. This suit is intended to help restore trust in our system and remedy the harm suffered by Nebraskans and their medical providers.”