Change Healthcare Faces Lawsuit Over Largest U.S. Medical Data Breach

Nebraska Attorney General alleges negligence and security failures exposed over 100 million Americans' sensitive health records.

A February 2024 ransomware attack on Change Healthcare, owned by UnitedHealth Group, compromised the personal and medical data of over 100 million Americans, making it the largest medical data breach in U.S. history.
Hackers exploited a low-level employee's stolen credentials, bypassing weak security measures such as the lack of multi-factor authentication and outdated infrastructure, to access and exfiltrate terabytes of sensitive data.
The breach disrupted healthcare operations nationwide, halting insurance claims processing and delaying care for patients, with hospitals and providers suffering significant financial losses during weeks-long outages.
Nebraska's lawsuit accuses Change Healthcare of negligence, citing delayed notifications to affected individuals and systemic security vulnerabilities that allowed hackers to freely navigate its network.
The breach highlights broader concerns about the healthcare sector's cybersecurity vulnerabilities, with experts calling for improved safeguards, interoperability, and a shift toward treating cybersecurity as a patient safety issue.