Nebraska sues Change Healthcare over ransomware attack
The Nebraska Attorney General has filed a lawsuit against UnitedHealth Group and its subsidiaries Change Healthcare and Optum, claiming the companies violated state laws on consumer protection after a massive ransomware attack in February exposed personal health information and disrupted claims payments and processing.
The Change Healthcare data breach began on February 11, when the username and password of a low-level customer support employee were posted in a Telegram group chat known for selling stolen credentials. Using these credentials, a hacker accessed Change’s systems through a remote access service called Citrix, the lawsuit said.
For over nine days, the hacker navigated Change’s systems undetected, creating privileged administrator accounts, installing malware, and exfiltrating terabytes of sensitive data.
The stolen data included Social Security numbers, driver’s license numbers, health insurance information, medical records and billing details, among other sensitive PHI. Change detected the activity on February 21, when the hacker deployed ransomware, crippling Change’s systems. In response, Change took its systems offline – which the lawsuit claims effectively shut down its operations, thereby exacerbating the harm.
WHAT’S THE IMPACT
In the complaint, Nebraska AG Mike Hilgers said the data breach and subsequent operational shutdown exposed the PHI of what his office believes to be “at least hundreds of thousands of Nebraskans, if not over a million.” This claim has been given some credence by an October HIPAA Journal report showing the Change cyberattack compromised the PHI of at least 100 million people.
This represents a third of the U.S. population and makes the data breach the largest known breach at a HIPAA-regulated entity.
In addition to exposing sensitive information, including information reflecting medical diagnoses, the shutdown also disrupted critical healthcare services across the state, the lawsuit alleges. It claims that the defendants’ failure to implement proper security measures exacerbated the data breach, leaving healthcare providers unable to deliver timely care and placing Nebraskans’ sensitive information at risk.
The lawsuit alleges a number of systemic failures, including outdated and poorly segmented IT systems that failed to meet enterprise security standards; an inadequate response to the breach, including the failure to detect unauthorized access for over a week, allowing hackers to establish themselves unnoticed inside Change’s systems and access PHI; and delays in notifying consumers of the breach, with affected Nebraskans only beginning to receive notifications nearly five months after the breach was discovered.
According to the suit, widespread operational disruptions halted prior authorizations for medical care and prescriptions, leaving patients without necessary medications and treatments. The breach also resulted in financial and operational burdens on Nebraska hospitals, pharmacies and doctor’s offices, as well as significant harm to patients, including the potential for identity theft, financial fraud, and exploitation of PHI, the suit claims.
The lawsuit also claims the disruption has had an outsized effect on rural hospitals and critical access facilities, which were already operating on thin margins. Providers were forced to deliver care without receiving payment for insurance claims, while others incurred significant costs switching to new transaction clearinghouses, the lawsuit said. Patients faced delays in receiving medications and treatments, while their sensitive information remained vulnerable on the dark web.
The complaint seeks to hold Change accountable, with the AG’s office asking the court to order the companies to implement stronger data security measures and to pay damages and penalties for the harm caused to Nebraska residents and healthcare providers.
THE LARGER TREND
UnitedHealth Group CFO John Rex, who was named president in April, said at the time that the cyberattack is expected to cost UHG $1 billion to $1.5 billion this year.
In May, UnitedHealth Group CEO Andrew Witty confirmed to Congress that he made the decision to pay $22 million in bitcoin ransom to protect the health information of patients.
UnitedHealth Group’s Optum bought Change for $13 billion two years ago.
ON THE RECORD
“This data breach is historic,” said Hilgers. “Not only because it compromised the most sensitive privacy and financial data of Nebraskans, but also because it shut down the payment and claim processing systems that form a significant part of the backbone of the medical payment processing industry. Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We’re filing this suit to hold Change accountable.”
Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.