Nebraska Attorney General Files Lawsuit Over Change Healthcare Data Breach

In addition to patient information being stolen, the data breach caused Change Healthcare to take its systems offline, severely impacting hospital services.

The state of Nebraska is now the latest plaintiff to file a lawsuit against Change Healthcare, claiming last year’s massive data breach was due to a lack of cybersecurity, which violates the state’s consumer protection and data security laws.

The complaint (PDF) was filed by the state’s attorney general, Michael T. Hilgers, in Lancaster District Court in Nebraska last month. It names Change Healthcare Inc., UnitedHealth Group Incorporated and Optum, Inc. as defendants.

The Change Healthcare data breach was first announced almost a year ago, in February 2024, when the company reported that hackers had gained access to the names, Social Security numbers, dates of birth, addresses, medical records, insurance details and other sensitive data for up to 100 million individuals.

While Change Healthcare is not well known among most U.S. consumers, it provides critical software, analytics and services for medical providers throughout the healthcare system, and some estimates suggest that one out of every three Americans has their private health information pass through the company’s servers.

According to Hilgers, the breach affected hundreds of thousands of Nebraskans, who not only had to deal with their data potentially being leaked, but also with the subsequent operational shutdown of Change Healthcare’s data systems.

“This data breach is historic. Not only because it compromised the most sensitive privacy and financial data of Nebraskans, but also because it shut down the payment and claim processing systems that form a significant part of the backbone of the medical payment processing industry,” Hilgers said in a press release announcing the lawsuit. “Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We’re filing this suit to hold Change accountable.”

The lawsuit provides a list of what Hilgers says are systemic failures by Change Healthcare, including outdated IT systems that failed to meet basic security standards, failure to detect and respond to the data breach in a timely manner, delays in notifying consumers about the breach, widespread operational disruptions, increased financial and operational burdens on healthcare providers, and significant harm to Nebraska patients.

Customer Support Credentials Led to Data Breach

Hilgers’ complaint notes that the data breach started when the username and password of a customer support employee were posted on Telegram in a chat known to be a clearinghouse for stolen credentials.

“Using these credentials, a hacker accessed Change’s systems through a remote access service called Citrix,” the press release states. “For over nine days, the hacker navigated Change’s systems undetected, creating privileged administrator accounts, installing malware, and exfiltrating terabytes of sensitive data.”

This allowed the hackers access to Social Security numbers, driver’s license numbers, health insurance information, medical records and billing details.

The breach first occurred on February 11, 2024, but was not detected until February 21, 2024, the lawsuit indicates.

Change Healthcare Service Disruptions

In addition to compromising patients’ private data, the breach also included ransomware that crippled Change’s systems. In response, Change had to take its systems offline.

This led to massive disruption of healthcare systems nationwide, including Nebraska, according to the lawsuit. Nebraska’s rural hospitals were particularly hard hit, Hilgers indicates, resulting in providers having to provide care without being paid for insurance claims.

As a result, some hospitals switched services, while some tried to wait it out. This resulted in patients facing delays in receiving medications and treatments, the lawsuit states.

The lawsuit seeks a court order to force the defendants to upgrade their security systems, and to have the defendants pay compensatory damages and penalties.

January 2025 Change Healthcare Data Breach Lawsuits Update

While the Nebraska claim was filed in state court in Lancaster County, most Change Healthcare data breach lawsuits have been filed in federal courts nationwide.

Given common questions of fact and law raised in the claims, a federal multidistrict litigation (MDL) has been established in the District of Minnesota, where U.S. District Judge Donovan Frank is presiding over coordinated discovery and pretrial proceedings.

Judge Frank has already ordered the parties to begin exploring the possibility of Change Healthcare data breach settlement talks.

As the court begins to explore the potential for a Change Healthcare lawsuit settlement, it is expected that the size and scope of the litigation will continue to expand over the coming weeks and months, as many individuals impacted are still receiving notice about the Change Healthcare data breach, and contacting lawyers to sign up for the litigation.

In addition to class action lawsuits, it is also expected that a number of individual arbitration claims will be filed, which may also impact the total Change Healthcare settlement payouts the company is required to make to resolve the litigation.