Nebraska AG sues UnitedHealth Group over health data breach at Change Healthcare

The attorney general in Nebraska has sued Minnetonka-based UnitedHealth Group over a cyberattack earlier this year at the company’s Change Healthcare subsidiary that affected the personal health data of about 100 million patients and hobbled systems for filling prescriptions and paying health care providers across the country.

The hack could have been prevented, Nebraska’s attorney general alleges, had the company complied with internal security protocols and its own publicly stated code of conduct and privacy standards. As such, UnitedHealth Group violated consumer protection laws, and it has failed to adequately notify impacted patients, the complaint alleges.

Filed in state court in Lancaster County, Neb., the lawsuit asserts a series of security failings including those that Chief Executive Andrew Witty disclosed during Congressional hearings in May, when he acknowledged the lack of multifactor authentication protections on a company portal that was accessed by hackers. Change’s systems were disabled after the attack, delaying hundreds of millions of dollars in payments to providers and halting care for 575,000 Nebraskans, the lawsuit says.

“All of the harm these attacks caused were avoidable had [UnitedHealth Group] and Change implemented straightforward security measures,” the Dec. 16 complaint says. “As of February 2024, Change and UHG did not have systems, policies and practices in place appropriate to secure and protect the volume and highly sensitive nature of the data being handled.”

While patients and health care providers previously filed lawsuits against UnitedHealth Group over fallout from the cyberattack, the Nebraska litigation is believed to be the first from a state attorney general.

UnitedHealth Group said in a statement: “We believe this lawsuit is without merit and we intend to defend ourselves vigorously.”

The company said its investigation into the attack is “still in its final stages,” and it continues to notify impacted individuals as quickly as possible on a rolling basis.

“Change continues to update the status of the event,” the company said. “Most importantly, Change Healthcare is also in regular communication with the U.S. Department of Health and Human Services, Office for Civil Rights and other regulators regarding our notification process. We are committed to notifying potentially impacted individuals as quickly as possible.”

UnitedHealth Group owns UnitedHealthcare, the nation’s largest health insurer, as well as a fast-growing division called Optum, which acquired Change Healthcare for $13 billion in 2022. The subsidiary has been involved in processing a large share of all health care claims and payments across the U.S. — roughly 15 billion health care transactions annually before the hack, affecting 1 in 3 patient records, according to federal officials.

The cyberattack forced UnitedHealth Group to shut down Change Healthcare’s system, creating financial problems for hospitals and clinics across the country. For a time, the outage also snarled pharmacy counters, with some patients saying they struggled to fill prescriptions.

Earlier this year, the federal government opened an investigation to determine if a breach of protected health information occurred and whether UnitedHealth Group and Change Healthcare were in compliance with federal privacy, security and breach notification rules.

The lawsuit from Nebraska Attorney General Mike Hilgers says that on or about Feb. 11, the user name and password for a low-level customer support employee’s access to a Change portal were posted on the social media site Telegram, in a group chat that advertises the sale of stolen credentials. The compromised portal was a virtual desktop where employees could access Change applications to perform job responsibilities.

The next day, a hacker accessed the portal via the credentials shared in the group chat and broke into a server hosting Change’s medication management application, according to the lawsuit. This access went undetected, according to the complaint, until the hacker over a week later revealed itself while encrypting Change’s systems.

“Over the next nine days, the hacker navigated through Change’s systems and servers at will, installing multiple malware tools and applications, as well as a number of ‘backdoors’ that would allow the hacker to return to those environments in the event Change did detect the suspicious activity and try to block access,” the lawsuit says. It goes on to state: “The hacker copied and exfiltrated terabytes of personal identifying information, financial account information and protected health information for tens of millions of individuals.”

UnitedHealth Group disclosed the cyberattack on Feb. 22.

In early March, the company paid a $22 million ransom via bitcoin, the lawsuit says, but the payment did not restore systems or mitigate the harm done. Since the company couldn’t check all systems for backdoors, and because its backup systems were compromised as well, Change opted to rebuild systems, causing additional delay in processing payments, according to the complaint.

At least one hospital cashed out investments and certificates of deposit to maintain operations, the lawsuit says, and thereby lost interest and investment income. Some health care providers wrote off hundreds of thousands of dollars as a result of claims being denied as untimely, because claims were either tied up in Change’s systems or not processed due to the outage, according to the complaint.

“Nebraskans were left without access to critical medications that they could not afford because pharmacies could not verify patients’ insurance,” the lawsuit states. “The ensuing chaos created substantial disruptions throughout the system.”

UnitedHealth Group says the Change Healthcare clearinghouse services are now restored. The company says it’s in the “repayment phase” of a program that provided billions in temporary financial assistance to health care providers, with $3.2 billion repaid as of Oct. 15.

The Federal Trade Commission offers a range of advice for people who have been affected by a data breach based on what type of personal information was exposed, at IdentityTheft.gov/databreach. Credit bureaus such as Experian also offer detailed advice on how to respond.

UnitedHealth Group is making available complimentary credit monitoring and identity protection services through IDX. To enroll, people can use the link at changecybersupport.com or call toll-free 888-846-4705. For additional support from Change Healthcare, consumers can call toll-free 866-262-5342.