The state’s Attorney General is suing Change Healthcare and two other companies following the massive data breach.
On December 16th, Nebraska became the first state to sue Change Healthcare over the massive data breach that occurred earlier this year.
According to a local report, the breach impacted at least 575,000 Nebraskan residents, allowing criminals to access their personal data and medical records. More individuals could have been impacted, as it's estimated that 100 million people–a third of Americans–had their data stolen.
Attorney General Mike Hilgers is now suing ChangeHealthcare, United Health Group, and Optum for allegedly violating the state’s financial data protection and consumer protection statutes.
Related: Going deeper: The Change Healthcare attack
Hilgers also argued that Change Healthcare had poor management and failed their legal responsibilities of protecting data. Allegedly, a low-level employee was allowed to have access to a full data set. Hilgers argued that no company should have sensitive data stored on outdated technology without two-factor authentication.
“The BlackCat group had nine days..of unfettered access into their system and pulled down all sorts of data about Nebraskans…Once that information is on the dark web, which it is, you can’t put it back in,” Hilgers said.
“We think that this lawsuit sends a clear message to other companies: If one of the biggest companies in the world doesn’t have multi-factor authentication or basic security in place, every other company handling customer data should be double-checking, triple-checking, quadruple-checking their systems,” he added.
Currently, UnitedHealth Group has not directly responded to the lawsuit. “We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the investigation is still in its final stages,” said spokesman Tyler Mason.
Each violation could cost the company up to $2,000, on top of other potential fines.
U.S. Representative Cathy McMorris Rodger of Washington State believes the lawsuit’s hearing and results will likely be studied in decades to come, as the data breach continues to force the government and companies to examine current cybersecurity practices.
As the case from Nebraska heads towards a hearing, it’s likely other states will soon also begin lawsuits against the companies responsible for the breach.
While lawsuits can help provide restitution to victims, as Hilgers said, it’s impossible to take data off the dark web once it’s on it. Lawsuits, penalties, and a stricter focus on data security will likely help prevent other massive breaches, but for victims, the threat to their data is far from gone.
Related: HIPAA Compliant Email: The Definitive Guide