The U.S. state of Nebraska has sued the healthtech giant Change Healthcare over a series of alleged security failings that resulted in a historical data breach exposing the sensitive health information of at least 100 million Americans.
In a complaint filed this week, Nebraska’s attorney general Mike Hilgers claims UnitedHealth-owned Change Healthcare failed to implement proper security measures, leading to what he describes as a “historic” data breach in terms of impact and magnitude.
This comes after it was revealed in October that more than 100 million Americans had their sensitive medical data stolen during a February ransomware attack on Change Healthcare. This data included personal information such as addresses and phone numbers, health data including diagnoses, medications, treatment plans, and financial and banking data. Change Healthcare continues to notify affected individuals about the data breach, and the final number is expected to be higher than 100 million.
Hilgers said in his complaint that Change Healthcare’s “failures to implement basic security protections” exacerbated the extent of the cyberattack, which was attributed to the Russian-speaking ALPHV ransomware gang. The complaint alleges that the healthtech giant had poorly segmented IT systems that allowed the hackers to travel freely between servers, and that Change Healthcare had failed to implement multi-factor authentication on its systems, which meant they could be accessed with just a username and password.
The complaint also reveals some previously unreported information about the incident, including new details showing that the hackers gained access to Change Healthcare’s network using the username and password of a “low-level customer support employee,” which Hilgers said was posted to a Telegram group known for selling stolen credentials.
With access to this “basic, user-level” account, which did not have administrator access, Hilgers’ complaint alleges that hackers were able to break into the server that hosted Change’s medication management application, SelectRX. From there, the hackers created privileged accounts with administrator capabilities, including the ability to access and delete all files.
“For over nine days, the hacker navigated Change’s systems undetected, creating privileged administrator accounts, installing malware, and exfiltrating terabytes of sensitive data,” the complaint says, adding that the attack was only detected when files were encrypted, locking out the company from its own data.
Hilgers is also suing Change Healthcare over its alleged failure to notify affected individuals about the data breach, which he says impacted at least 575,000 Nebraskans. Hilgers says the state published its own notice alerting residents to the breach because Change Healthcare still had not provided notice to those affected until some five months after the cyberattack.
“As of the date of this complaint, the State of Nebraska believes that Defendants have still failed to provide written notice to many affected Nebraskans of the breach, leaving citizens more vulnerable to exploitation of the sensitive personal financial, health, and identifying information,” the complaint says.
The Nebraska attorney general is asking a court to order Change Healthcare to pay damages “for the harm caused to Nebraska residents and healthcare providers,” which Hilgers says were forced to deliver care without receiving payment for insurance claims.
The incident also caused widespread operational disruptions, leaving patients without necessary medications and treatments.
UnitedHealth spokesperson Katherine Wojtecki told TechCrunch: “We believe this lawsuit is without merit and we intend to defend ourselves vigorously.” The company reiterated in its statement what it told TechCrunch in July, that Change Healthcare’s review of the stolen data was “in its final stages.”
