A Nebraska court has allowed the state’s lawsuit over the 2024 Change Healthcare breach to move forward.
What happened
Nebraska Attorney General Mike Hilgers’ lawsuit against Change Healthcare, UnitedHealth Group, and Optum will proceed after a Lancaster County District Court judge denied the defendants’ motion to dismiss. The lawsuit, filed in December 2024, alleges violations of Nebraska’s consumer protection, data privacy, and security laws in connection with the Change Healthcare ransomware attack that affected more than 190 million Americans, including nearly 900,000 Nebraskans.
Going deeper
The complaint alleges that the 2024 ransomware attack occurred because Change Healthcare failed to implement reasonable cybersecurity controls and did not follow industry-standard security practices. The state cites outdated IT systems, inadequate network segmentation, and other security deficiencies that contributed to the scale of the breach and the two-month operational outage that followed. During the outage, essential claims and payment processing systems were disrupted, delaying medical care, prescriptions, and prior authorizations for Nebraska residents. The lawsuit also states that residents waited almost five months to learn their data had been compromised, placing them at heightened risk of identity theft, fraud, and misuse of personal health information.
What was said
Judge Susan Strong found that the state sufficiently alleged violations of consumer protection and data privacy laws, allowing the case to proceed. Attorney General Hilgers said the ruling allows Nebraska to continue seeking accountability and stronger safeguards for residents’ health information. He noted that nearly half of Nebraskans had sensitive data exposed in the attack and outlined the state’s intention to pursue remedies, including civil penalties, damages, and injunctive relief.
The big picture
State-level legal actions have increased following large health sector breaches, reflecting growing scrutiny of cybersecurity practices across the healthcare ecosystem. The U.S. Government Accountability Office has reported that outdated systems and insufficient network segmentation are recurring weaknesses in healthcare organizations affected by ransomware, contributing to prolonged outages and broader exposure of medical data. These patterns align with concerns raised in the Nebraska lawsuit about systemic security gaps and delayed breach notifications.
FAQs
Why are states increasingly filing independent lawsuits after major health data breaches?
State attorneys general have the authority to enforce consumer protection and privacy laws, allowing them to seek penalties and remedies that go beyond federal enforcement actions.
How can outdated IT systems contribute to a breach?
Legacy systems often lack modern security controls, are harder to patch, and may not support strong authentication or network segmentation, making lateral movement easier for attackers.
Why is delayed notification a central issue in many breach investigations?
Late notification prevents individuals from taking timely protective steps, increasing the likelihood of identity theft, fraud, and misuse of medical or financial information.
What is network segmentation, and why does it matter?
Segmentation divides systems into isolated zones, limiting how far attackers can move once inside a network. Poor segmentation enables wide-scale compromise from a single entry point.
What remedies can states pursue in lawsuits like this?
States may seek civil penalties, restitution, injunctive relief, cybersecurity improvements, and reimbursement for economic loss experienced by residents and healthcare providers.
Farah Amod
