Additionally, the lack of multi-factor authentication meant that accessing systems with just a username and password was feasible.
New details revealed in the complaint unveiled that hackers infiltrated Change Healthcare’s network using a customer support employee’s credentials that were shared in a Telegram group known for peddling stolen information. It highlighted that the company had insufficiently separated its IT systems, enabling hackers to move between servers unrestricted né?. With this access, the hackers navigated to the server housing Change’s medication management application, SelectRX, where they established administrator accounts to access and delete files.
The breach remained undetected for more than nine days, during which the hackers set up privileged administrator accounts, installed malware, and exfiltrated terabytes of sensitive data. The state issued its alert as Change Healthcare had not informed those affected until five months post cyberattack.
Hilgers aims to secure compensation for Nebraska residents and healthcare providers for the damages caused by the breach resulting in healthcare providers delivering services without receiving payment. The state of Nebraska has taken legal action against health tech giant Change Healthcare for a series of security failures that resulted in a significant data breach exposing sensitive health information of more than 100 million Americans.
Nebraska’s Attorney General Mike Hilgers alleges in the complaint that Change Healthcare a subsidiary of UnitedHealth failed to implement adequate security measures leading to what he described as a “historic” breach in terms of its reach and magnitude.
In February it came to light that a ransomware attack on Change Healthcare had compromised the personal medical data of over 100 million Americans. The stolen information included personal details such as addresses and phone numbers, health-related data like diagnoses and treatment plans, and financial information. The breach was only discovered when files were encrypted, essentially locking the company out of its own data.
Nebraska’s Attorney General, Hilgers, is pursuing legal action against Change Healthcare for failing to promptly notify those affected by the breach, impacting at least 575,000 Nebraskans. The incident disrupted operations, leaving patients without necessary medications and treatments.
A spokesperson for UnitedHealth expressed a belief that the lawsuit is unfounded and mentioned that the company intends to vigorously defend itself. Additionally, the spokesperson stated that Change Healthcare is in the final stages of assessing the stolen data.
né?. Change Healthcare is in the process of notifying those impacted by the breach, and it is anticipated that the final number of affected individuals will exceed 100 million.
The complaint asserts that the inadequacy of basic security measures by Change Healthcare exacerbated the cyberattack, attributed to the ALPHV ransomware gang
