The U.S. state of Nebraska has filed a lawsuit against health tech giant Change Healthcare for multiple security failures that led to a massive data breach exposing sensitive health information of over 100 million Americans.

Nebraska Attorney General Mike Hilgers claims in the complaint that Change Healthcare, owned by UnitedHealth, did not implement proper security measures, resulting in what he calls a “historic” breach in terms of its impact and scale.

In October, it was disclosed that a ransomware attack on Change Healthcare in February had compromised the sensitive medical data of more than 100 million Americans. The stolen data included personal details like addresses and phone numbers, health information including diagnoses and treatment plans, and financial data. Change Healthcare is notifying affected individuals about the breach, and the final count of affected individuals is expected to be higher than 100 million.

The complaint alleges that Change Healthcare’s failure to implement basic security measures worsened the cyberattack, attributed to the ALPHV ransomware gang. It stated that the company had poorly segregated IT systems, allowing hackers to move between servers freely, and had not deployed multi-factor authentication, making it possible to access systems with just a username and password.

The complaint also revealed new information about the incident, indicating that hackers got into Change Healthcare’s network using a customer support employee’s username and password that were posted in a Telegram group known for selling stolen credentials. With this access, hackers reached the server hosting Change’s medication management application, SelectRX, and created administrator accounts enabling them to access and delete files.

The attack went unnoticed for over nine days, during which hackers created privileged administrator accounts, installed malware, and extracted terabytes of sensitive data. The breach was only discovered when files were encrypted, locking the company out of its own data.

Nebraska Attorney General Hilgers is suing Change Healthcare for failing to inform impacted individuals about the breach, affecting at least 575,000 Nebraskans. The state issued its own alert because Change Healthcare had not notified affected individuals until five months after the cyberattack.

The attorney general seeks compensation for Nebraska residents and healthcare providers for the harm caused by the breach, which led to care providers delivering services without receiving payment. The incident disrupted operations, leaving patients without necessary medications and treatments.

A UnitedHealth spokesperson stated that they believe the lawsuit is baseless and that they will vigorously defend themselves. The company mentioned that Change Healthcare’s assessment of the stolen data is in its final phases.