Iowa AG Sues Change Healthcare Over 2024 Ransomware Attack
Iowa Attorney General Brenna Bird has filed a lawsuit against Change Healthcare, UnitedHealth Group, and Optum over the February 2024 ransomware attack that resulted in the theft of the electronic protected health information of 192.7 million Americans, including 2.2 million Iowans.
AG Bird accuses the defendants of making false representations about their cybersecurity practices and systems before and after the cyberattack. AG Bird claims the defendants played down the seriousness of the incident in the February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC), which stated that a suspected nation state actor had gained access to some of its information systems and that the affected systems had been isolated.
AG Bird said what was described as a relatively benign isolation of systems was in fact the largest healthcare data breach in U.S. history, and one of the largest data breaches of any kind in the United States. “The breach and subsequent shutdown of services, without warning and without adequate backup and redundancies, was so great that it sent the entire U.S. healthcare system into a virtual meltdown,” AG Bird stated in the lawsuit.
Cybercriminals have long targeted U.S. healthcare organizations, and given the high volume of attacks, the defendants should have known that they would be a huge target for cybercriminals, given the volume of sensitive data that flowed through Change Healthcare’s systems and the impact a ransomware attack would have. Despite this, AG Bird alleged that the measures implemented were insufficient and did not match the standards claimed by the defendants. AG Bird alleged that the Change Healthcare cyberattack and data breach “occurred because Change’s systems were insecure, outdated, and lacked appropriate segmentation and redundancies—in violation of Change’s advertised practices, company policies, federal privacy requirements, and basic standards of enterprise information security.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to the lawsuit, following a Congressional inquiry into the incident, and over the course of many months, “it became clear that defendants materially misrepresented the quality and characteristics of their cybersecurity systems to Iowans and to Iowa healthcare providers, in violation of Iowa law.” In addition to failing to adequately secure its systems and sensitive data, AG Bird took issue with the time taken to notify the affected individuals, some of whom only learned that their data had been compromised 20 months after their data was stolen.
The lawsuit asserts claims of violations of the Iowa Consumer Fraud Act, Iowa Code, and the Personal Information Security Breach Protection Act. The lawsuit seeks civil monetary penalties of $40,000 per violation of Iowa Code § 714.16(7), civil penalties of $5,000 for each violation of the Iowa Consumer Fraud Act, for all moneys or property acquired in violation of the Iowa Consumer Fraud Act to be disgorged to the Attorney General, and awards of damages on behalf of all persons injured due to the violations of the Iowa Personal Information Security Breach Protection Act. Further, the lawsuit seeks to enjoin the defendants from continuing to commit further unlawful practices pursuant to Iowa Code.
