The US state of Nebraska has sued health tech giant Change Healthcare over a series of alleged security flaws that led to a historic data breach that exposed sensitive health information of at least 100 million Americans.
Nebraska Attorney General Mike Hilgers said in a complaint filed this week that Change Healthcare, a unit of UnitedHealth, failed to take adequate security measures and that its influence and size meant that he had access to “historic” data. It alleges that this led to what it calls an infringement.
This comes after it was revealed in October that more than 100 million Americans had their sensitive health data stolen in a ransomware attack on Change Healthcare in February. This data includes personal information such as address and phone number, health data such as diagnoses, medications, and treatment plans, and financial and banking data. Change Healthcare continues to notify affected individuals about the data breach, with the final number expected to exceed 100 million.
Hilgers said in the complaint that Change Healthcare's “failure to implement basic security protections” exacerbated the scale of the cyberattack, which was carried out by the Russian-speaking ALPHV ransomware group. The complaint alleges that the health tech giant's IT systems are not fragmented, allowing hackers to move freely between servers, and that Change Healthcare failed to implement multi-factor authentication in its systems. He claims that he was able to access the site with just a username and password. .
The complaint alleges previously unreported details about the incident, including new details showing that the hackers used the username and password of a “low-level customer support employee” to access Change Healthcare's network. Information has also been revealed. Hilgers said the employee posted on a Telegram group. Known for selling stolen credentials.
Hilgers' complaint alleges that access to this “basic user-level” account, which does not have administrative access, allowed hackers to break into the servers hosting Change's medication management application, SelectRX. From there, the hackers created a privileged account with administrative functions, including the ability to access and delete all files.
“Over nine days, the hackers penetrated Change's systems undetected, created super administrator accounts, installed malware, and exfiltrated terabytes of sensitive data,” the complaint states. , added that the attack was only detected if the files were encrypted, locking the company out of access. Proprietary data.
Hilgers is also suing Change Healthcare for allegedly failing to notify affected individuals about a data breach that affected at least 575,000 Nebraskans. Hilgers said Change Healthcare did not provide notification to those affected until about five months after the cyberattack, prompting the state to issue its own notice warning residents about the breach. Ta.
“As of the date of this complaint, the State of Nebraska states that Defendants have not yet provided written notification of the breach to many affected Nebraskans and that the State of Nebraska has not yet provided written notice of the breach to a number of affected Nebraskans, and that the State of Nebraska has not yet provided written notice of the breach to a number of affected Nebraskans and that the public is unable to access sensitive personal financial information, health information, etc.” , believe that their personal information is at risk of being exploited,” the complaint states.
The Nebraska Attorney General's Office alleges that Hilgers was forced to provide care without insurance reimbursement, and sued Change Healthcare “for the harm caused to Nebraska residents and health care providers.” They are asking the court to order them to pay damages.
The incident also caused widespread operational disruption, leaving patients without the medication and treatment they needed.
UnitedHealth spokeswoman Katherine Wojtecki told TechCrunch: “We believe this lawsuit is without merit and will vigorously defend it.” In a statement, the company reiterated what it told TechCrunch in July, saying that Change Healthcare's review of the stolen data is “in its final stages.”