The state of Nebraska has officially launched a lawsuit against health technology giant Change Healthcare. The legal action follows a catastrophic security failure that exposed the private medical and financial records of at least 100 million Americans.
A Failure of Basic Security Protocols
In a complaint filed this week, Nebraska Attorney General Mike Hilgers asserts that the UnitedHealth-owned company failed to maintain essential security safeguards. This negligence facilitated what is being described as a “historic” data breach. The incident, which originated from a February ransomware attack by the Russian-speaking ALPHV group, compromised a vast array of sensitive data, including home addresses, phone numbers, medication details, treatment plans, and banking information.
The lawsuit highlights critical vulnerabilities within Change Healthcare’s IT infrastructure. Investigators found that the company’s systems were poorly segmented, allowing hackers to move laterally across servers with ease. Furthermore, the absence of multi-factor authentication (MFA) meant that attackers could infiltrate the network using nothing more than a standard username and password.
The “Low-Level” Entry Point
The legal filing reveals new, previously undisclosed details regarding how the breach occurred. Hackers reportedly gained initial access to the network using the credentials of a low-level customer support employee, which had been circulating on a Telegram channel dedicated to stolen data.
Despite the account lacking administrative privileges, the attackers successfully breached the server hosting the “SelectRX” medication management application. Once inside, the hackers elevated their access by creating privileged administrator accounts, granting them the ability to exfiltrate terabytes of data and delete critical files. The intrusion remained undetected for over nine days, only surfacing when the hackers initiated file encryption to lock the company out of its own systems.
Delayed Notifications and Operational Fallout
Nebraska’s lawsuit also targets the company’s sluggish response to the breach. Attorney General Hilgers claims that at least 575,000 Nebraskans were impacted, yet Change Healthcare failed to notify them for nearly five months. Nebraska officials eventually issued their own public warning to residents to mitigate the risk of identity theft and fraud.
Beyond the privacy implications, the breach triggered widespread operational chaos. Healthcare providers were left unable to process insurance claims, and countless patients faced significant delays or denials in receiving life-saving medications and medical treatments.
Company Response
UnitedHealth spokesperson Katherine Wojtecki responded to the legal action, stating: “We believe this lawsuit is without merit and we intend to defend ourselves vigorously.” The company maintains that its internal review of the stolen data is currently in its final stages.