Iowa Attorney General Brenna Bird has filed a lawsuit against Change Healthcare, UnitedHealth Group, and Optum alleging that the February 2024 ransomware attack exposed the electronic protected health information (ePHI) of 192.7 million Americans, including 2.2 million Iowans, and that the defendants misrepresented their cybersecurity practices and response.
Complaint Overview
Regarding the February 2024 cybersecurity incident, Attorney General Brenna Bird of Iowa filed a complaint against UnitedHealth Group, Change Healthcare, and Optum. Allegedly, the incident resulted in the theft of ePHI of 192.7 million individuals and affected 2.2 million residents of Iowa. The lawsuit also alleges that the companies made false representations about the state of their cybersecurity systems before and after the attack.
Allegations About Public Statements and SEC Filing
The complaint alleges that a February 21, 2024 filing with the U.S. Securities and Exchange Commission described the incident as involving a suspected nation state actor gaining access to some information systems and claimed to have isolated the breached systems. The Attorney General contends that the SEC filing understated the severity of the incident and that the description of system isolation was inconsistent with the scale and impact of the breach.
Allegations About System Security and Preparedness
The lawsuit alleges that Change Healthcare’s systems were insecure, outdated, and lacked appropriate segmentation and redundancies. The complaint asserts that these deficiencies violated the defendants’ advertised practices, company policies, federal privacy requirements, and basic standards of business information security. The Attorney General alleges that the defendants should have anticipated being a major target for cybercriminals given the volume of sensitive data processed by Change Healthcare and the potential operational impact of a ransomware attack.
Operational Impact and Notification Delays
The complaint alleges that the breach and the subsequent shutdown of services caused widespread disruption to U.S. healthcare operations and describes the shutdown as having sent the healthcare system into a virtual meltdown. The Attorney General also challenges the timeliness of notifications to affected individuals, noting that some people were not informed that their data had been compromised until 20 months after the theft.
Legal Claims And Remedies Sought
The lawsuit asserts violations of the provisions of the Iowa Code, the Iowa Consumer Fraud Act, and the Personal Information Security Breach Protection Act. The complaint seeks civil penalties of $5,000 for each violation of the Iowa Consumer Fraud Act and civil monetary penalties of $40,000 per violation of Iowa Code § 714.16(7). The Attorney General also seeks disgorgement of moneys or property acquired in breach of the Iowa Consumer Fraud Act, injunctive relief to prevent further unlawful practices under Iowa law, and damages on behalf of individuals harmed under the Personal Information Security Breach Protection Act.
Congressional Inquiry and Alleged Misrepresentations
The complaint references a Congressional inquiry and alleges that, over several months, it became clear that the defendants falsely represented the quality and efficiency of their cybersecurity systems to residents and healthcare providers in Iowa. The Attorney General contends those misrepresentations violated Iowa law.