ipopba - stock.adobe.com

Nebraska attorney general sues Change Healthcare over breach

The Nebraska attorney general sued Change Healthcare, alleging violations of Nebraska's consumer protection and data security laws.

Nebraska Attorney General Mike Hilgers filed a lawsuit against Change Healthcare, following a major cyberattack and data breach that affected 100 million individuals nationwide. The data breach affected hundreds of thousands of Nebraskans alone, prompting Hilgers to take action and become the first state attorney general to file a lawsuit against Change Healthcare after the cyberattack.

Specifically, the Nebraska attorney general's office alleged that Change Healthcare violated Nebraska's consumer protection and data security laws. The office also took issue with Change Healthcare's breach notification timeline, since consumers were not officially notified of the February 2024 breach until July.

"This data breach is historic. Not only because it compromised the most sensitive privacy and financial data of Nebraskans, but also because it shut down the payment and claim processing systems that form a significant part of the backbone of the medical payment processing industry," Hilgers said.

"Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We're filing this suit to hold Change accountable."

Filed in the Lancaster County District Court, the lawsuit highlighted frustrations shared by providers across the country when the cyberattack initially occurred -- financial hardships, delays in consumer notifications and operational disruptions.

The lawsuit alleged that the cyberattack led to delays in prior authorizations and care and noted that scammers contacted Nebraska consumers in the wake of the cyberattack, adding to the existing harms caused by the breach.

"Over the course of many months, and following a Congressional inquiry, the truth of the attack -- its preventability, the actions by Defendants that exacerbated it at the expense of Nebraska's citizens and those who provide them with critical healthcare services and life-saving medications, and the harm suffered by Nebraskans -- began to come to light," the lawsuit stated.

The Nebraska attorney general's office called on Nebraska healthcare providers who were affected by the cyberattack to contact the office. Additionally, the attorney general's office asked the court to order Change Healthcare to implement stronger data security measures and pay damages to Nebraskans and healthcare providers affected by the cyberattack and data breach.

"A functioning medical marketplace needs to have a trustworthy medical payments backbone. It requires companies who do what they say they will do, and do everything possible to protect Nebraska's health information and who provide proper notice to Nebraskans when their data is breached," Hilgers said.

"This suit is intended to help restore trust in our system and remedy the harm suffered by Nebraskans and their medical providers."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Dig Deeper on Healthcare data breaches