LINCOLN — Nebraska on Monday became the first state to sue Tennessee-based Change Healthcare over the company’s massive data breach that cost at least 575,000 Nebraskans their personal information and medical records.

Nationally, the U.S. Department of Health and Human Services estimated that 100 million people, nearly a third of the U.S. population, had data stolen by hackers in that February breach of the medical payments company. The breach was blamed on a low-level employee who had his or her login credentials hacked.

Nebraska Attorney General Mike Hilgers said he is suing because of the company’s carelessness in handling data and in how slowly it has notified people affected. He called the hack one of the “one of the largest” data breaches in modern history.

The company, he said, was wrong to allow a low-level employee access to a full data set. No company, he said, should store such sensitive information on outdated technology that does not require two-factor authentication to access.

Hilgers said the company’s management runs afoul of legal responsibilities for protecting data.

The BlackCat ransomware group, known for targeting large companies with hacking for bitcoin or other payments, has claimed credit for the hack.

“The BlackCat group had nine days … of unfettered access into their system and pulled down all sorts of data about Nebraskans, about Americans…,” Hilgers said Monday. “Once that information is on the dark web, which it is, you can’t put it back in.”

His office sued Change Healthcare, UnitedHealth Group and Optum for allegedly violating the state’s financial data protection and consumer protection statutes.

It also alleged violations of deceptive trade practices law and potential violations of federal health privacy law and health information technology protection standards.

Each violation of the consumer protection law could cost the company up to $2,000. Fines are possible for data protection failures. Hilgers said the state would seek restitutions to make Nebraskans whole for their losses.

“We think that this lawsuit sends a clear message to other companies: If one of the biggest companies in the world doesn’t have multi-factor authentication or basic security in place, every other company handling customer data should be double-checking, triple-checking, quadruple-checking their systems,” Hilgers said.

Companies Have No Immediate Response

Tyler Mason, a spokesman for UnitedHealth Group, said Change Healthcare is working with the U.S. Department of Health and Human Services and other regulators about its notification process.

“We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the investigation is still in its final stages,” he said in a statement. “We are committed to notifying potentially impacted individuals.”

The company suggested anyone who might have been affected to check out the company’s website for the hack at changecybersupport.com. It suggested those notified should enroll in credit monitoring using the link on the website or call 888-846-4705. People who need telephone help from the company can call 866-262-5342.

Andrew Witty, CEO of UnitedHealth, told the U.S. House Energy and Commerce Committee in May that the company paid hackers a $22 million ransom. He said Change Healthcare, which his group had acquired, was using older tech that was in the process of being upgraded.

U.S. Rep. Cathy McMorris Rodgers, R-Wash., said at the hearing that the companies’ actions would likely be “a case study in crisis mismanagement for decades to come.”

Many companies limit which employees have access to what data. Two-factor authentication is a second notice to registered users trying to log in to verify that they are the ones accessing the data.

Change Healthcare is a payment processing company that ensures medical providers get paid after insurance companies determine whether to cover a medical procedure and what portion to fund.

Hilgers used the example of Bryan Health in Lincoln as a provider that has been impacted by the breach. He said Bryan Health notified its customers of the potential breach last spring.

Rural, critical access hospitals lost money because of the breach, he said, putting some in a cash-flow crunch.

Jeremy Nordquist, president of the Nebraska Hospital Association, applauded Hilgers for “holding these companies accountable to their legal obligation to keep health information private.”

“Cyber security is critical for health care, and the recklessness shown by Change Healthcare … must be addressed.”

Hilgers said the Nashville-based company dragged its feet on legally required notification of Nebraska clients from February until the Attorney General’s Office got more aggressively involved in May, He said notifications shouldn’t have required those steps.

“Nine months later, people are starting to get notices … but they do not equip and arm Nebraskans with the ability to actually fight back or try to be prepared,” Hilgers said.

How To Find Help

Already, he said, the consumer protection side of his office has been getting calls from people questioning whether calls they have received seeking payment for medical procedures they think they’ve already paid for might be scams related to the hack.

He had no hard numbers on the number of people being scammed but said medical information is deeply personal and can be used to embarrass, manipulate and harm people.

The stolen data included medical records, telephone numbers, addresses, doctors, diagnoses, medicines, test results, images and care and treatment histories, according to the lawsuit, which the state filed in Lancaster County District Court.

This could be used to harass, blackmail or extort money out of people, Hilgers said.

Hilgers advised any Nebraskans who get a call seeking immediate payment for a medical procedure to take down their information and look up the real number for the company involved and check with them to see if they might be calling.

He urged people worried about a possible scam to call the Attorney General’s consumer protection hotline at 402-471-2682 or toll-free at 800-727-6432.

This story was published by Nebraska Examiner, an editorially independent newsroom providing a hard-hitting, daily flow of news. Read the original article: https://nebraskaexaminer.com/2024/12/16/ag-sues-change-healthcare-two-ot...