Nebraska’s attorney general sued Change Healthcare this week, accusing the healthcare provider of implementing weak cybersecurity measures that led to a massive breach exposing the data of over 100 million Americans.
The attorney general, Mike Hilgers, sued Change Healthcare on Monday, alleging the company failed to implement adequate safeguards against ransomware attacks. In his complaint, he said the company didn’t have two-factor authentication, making it easier for cybercriminals to access the company’s files.
Change Healthcare has denied all allegations by Mr. Hilgers and has confirmed that it will fight the suit.
According to his complaint, hackers tied to the Russian ransomware group ALPHV accessed Change Healthcare’s files in February using the username and password of a low-level employee. The suit says the hackers likely purchased the employee credentials via a Telegram group.
Despite having only basic access, the hackers broke into Change Healthcare’s medical servers, created administrator accounts for themselves and installed malware. The hackers remained undetected for three days while they extracted private medical data from the 100 million accounts.
The information collected by the hackers included private medication information, diagnoses, addresses, emails and phone numbers.
On top of his claims that Change Healthcare failed to implement proper security measures, Mr. Hilgers is suing the company for its failure to notify customers of the breach. He said Change Healthcare has still failed to provide written notice to Nebraska citizens that their data may have been compromised.
He said his office sent notices to Nebraskans because Change Healthcare failed to do so. He also said the breach likely affected over 500,000 residents in the state.
Mr. Hilgers has asked that Change Healthcare be forced to pay damages for its security and notification failures.
• Vaughn Cockayne can be reached at vcockayne@washingtontimes.com.
Please read our comment policy before commenting.