Nebraska’s Attorney General has filed a lawsuit against Change Healthcare and its parent company, UnitedHealth Group (UHG), following a devastating ransomware attack in February 2024. The breach, which exposed the sensitive healthcare information of millions of Americans, disrupted critical medical services across the state and nationwide. Change Healthcare, which processes about half of all U.S. medical claims, had its payment and claim processing systems shut down, causing delays in patient care, unfilled prescriptions, and significant financial strain on healthcare providers. This cyberattack is now regarded as one of the most impactful ransomware incidents in U.S. history.
According to the lawsuit, Change Healthcare’s failure to implement adequate cybersecurity measures exacerbated the breach and further disrupted healthcare services, particularly in rural areas. Nebraska’s Attorney General, Mike Hilgers, emphasized the far-reaching consequences of the breach, noting that critical access hospitals and healthcare providers faced severe financial hardships due to the extended downtime of payment systems. Providers had to offer care without compensation, leading to major cash flow issues and delayed services for patients across the state.
In addition to the service disruptions, the breach also led to a rise in fraudulent activity. Scammers posed as hospital representatives, reaching out to patients and requesting credit card information under the guise of issuing refunds. The lawsuit claims that UHG failed to properly notify Nebraskans of the breach, depriving them of a chance to protect themselves from potential fraud. Change Healthcare’s communication efforts were described as insufficient, as they opted for generalized public notices rather than individualized notifications to those affected by the breach.
Nebraska’s Attorney General is seeking civil penalties, restitution, and stronger security measures to be implemented by the companies involved. The state is pressing for a remedy that would restore trust in the healthcare system, which relies on secure and reliable payment processing systems to function properly. The case underscores the critical need for robust cybersecurity measures within the healthcare industry to prevent further disruptions and protect the privacy and safety of patients across the nation.
