Iowa Seeking Civil Monetary Fines, Damages for Alleged Violations
Iowa’s state attorney general has filed a lawsuit against UnitedHealth Group seeking financial damages, civil penalties and improvements to the company’s data security practices for alleged violations of state and federal laws stemming from the 2024 ransomware attack and mega-breach of its Change Healthcare unit.
See Also: AI Impersonation Is the New Arms Race—Is Your Workforce Ready?
Iowa State Attorney General Brenna Bird filed the lawsuit Tuesday in District Court for Polk County against UHG and its Optum and Change Healthcare business units. Optum acquired Change Healthcare, a healthcare IT services firm, in 2022 for $13 billion. Two years later, a ransomware attack disrupted Change Healthcare’s operation for months, interrupted billing and other key services for thousands of providers and compromised the data of nearly 193 million people across the United States, including 2.2 million Iowans (see: Change Healthcare Now Counts 190 Million Data Breach Victims).
Bird alleged violations of Iowa’s Consumer Fraud Act and Personal Information Security Breach Protection Act, as well as federal laws such as HIPAA, delayed breach notification, and an array of other claims stemming from Change Healthcare’s February 2024 cyberattack.
The breach began on Feb. 11, 2024, and was not discovered until Feb. 21, 2024, Bird said. “For 10 days, a criminal hacker navigated Change’s systems undetected, creating privileged administrator accounts, installing malware, and stealing sensitive data,” Bird said in statement.
Data stolen in the breach included Social Security numbers, driver’s license numbers, health insurance information, medical records, billing details, and other information.
“This was a preventable debacle. And instead of owning up to it, Change kept Iowans in the dark for five months, critical time they could have used to protect their leaked data,” she said.
The attack by Russian-speaking ransomware gang BlackCat – also known as AlphV – and the resulting Change Health IT systems outages also disrupted claims processing and many other critical business operations for thousands of medical practices, clinics, pharmacies and hospitals across the U.S. for several months.
In Iowa alone, Change Healthcare processes more than 1 million claims per year, the lawsuit said.
“Defendants’ conduct caused direct and significant economic harm to Iowans and Iowa healthcare providers. The collapse of Change’s systems halted a significant number of insurance-related private healthcare transactions in the state,” the lawsuit complaint alleges.
“The harms flowing from this unprecedented failure reverberated throughout the Iowa healthcare system,” the complaint said.
“Claims that had already been submitted were paralyzed – providers could not access them, nor even pull them out of Change to resubmit them through a new processor,” the lawsuit alleged.
“Healthcare providers were faced with the choice of sticking with Change – and facing the uncertainties of trying to hold out until its system were restored – or switching to a different clearinghouse provider and incurring significant costs – both direct costs from the transition and staff time – to do so.”
The Iowa lawsuit is seeking injunctive relief including improvements to the defendants’ data security practices, as well as monetary payments.
The financial restitution being sought includes civil penalties of $40,000 per violation of Iowa consumer laws; additional civil penalties of $5,000 for each violation of state consumer laws affecting “older” individuals; and financial damages for individuals injured by alleged violations of Iowa’s Personal Information Security Breach Protection Act.
UnitedHealth Group refuted the claims. “We believe this lawsuit is without merit and we intend to defend ourselves vigorously,” UnitedHealth Group said in a statement to ISMG.
Other Legal Problems
Lawsuits by additional state attorneys general are also a possibility that Change Healthcare still faces, some legal experts said.
“Given the magnitude of the breach and the impact on individual state residents and providers alike, I would not be surprised if others followed,” said attorney Rachel Rose, who is not involved in the Change Healthcare cases (see: UnitedHealth Group’s Latest Health Data Breach Woes).
So far, in addition to Iowa, at least one other state attorney general – Mike Hilgers of Nebraska – last December filed litigation against Change Healthcare involving the company’s cyberattack.
Besides that, a coalition of 22 state attorneys general sent a joint letter in 2024 to UHG demanding the company take action to assist organizations affected by the attack’s disruption (see: State AGs, Industry Groups Urge Action in Change Healthcare Saga).
Some state attorneys general also issued public consumer warnings about the Change Healthcare data breach in the months following the attack as the company continued to recover its systems and investigate the incident (see: State AGs Warn Consumers About Change Healthcare Breach).
Change Healthcare and its parent UHG also face dozens of proposed class action lawsuits, including consolidated multidistrict litigation, in federal courts involving the data breach (see: Change Healthcare Attack Recovery Woes, Lawsuits Pile Up).
“I do believe that a settlement will be reached at some point because deficiencies have been established and Congressional testimony that highlighted the cybersecurity and HIPAA issues” alleged against Change Healthcare in many of the lawsuits, Rose said.
Besides the lawsuits, the Change Healthcare cyberattack is also still under investigation by the U.S. Department of Health and Human Services’ Office for Civil Rights for potential HIPAA violations involving the hack (see: Feds Launch Investigation Into Change Healthcare Attack).
Although HHS OCR has not provided any public updates about the status of its investigation – which was launched shortly after Change Healthcare disclosed the cyberattack – Rose said an enforcement action against the company by the federal agency is likely, but could take a while longer.
“As we know from past HHS OCR enforcement actions, it can take years for a corrective action plan and settlement to be reached,” she said. A similar phenomenon occurred in 2015 when Anthem reported a breach to HHS OCR affecting nearly 79 million people, also stemming from a hacking incident.
It took over three years before HHS OCR hit Anthem with a record $16 million HIPAA enforcement action in the breach.
“The Change Healthcare attack exponentially eclipses the size of the Anthem breach, so it will likely take longer,” she said.
Click Here For The Original Source.
