Iowa Attorney General Brenna Bird announced on Mar. 31 that she has filed a lawsuit against Change Healthcare, alleging violations of Iowa’s Consumer Fraud Act and Personal Information Security Breach Protection Act following a large-scale data breach that affected nearly 2.2 million Iowans.
The incident is significant due to the scope of sensitive information exposed and the impact on healthcare operations across the state. The breach, which began on February 11, 2024, went undetected for ten days before being discovered on February 21. During this period, a criminal hacker accessed Change Healthcare’s systems, created privileged administrator accounts, installed malware, and stole personal data including Social Security numbers, driver’s license numbers, health insurance details, medical records, and billing information.
After identifying the breach, Change Healthcare took its systems offline in an effort to contain the situation. This action led to widespread disruption in Iowa’s healthcare system: providers were unable to receive payment for insurance claims and faced additional costs switching claims processors; patients experienced delays in receiving medications and treatments.
Attorney General Bird said: “The Change Healthcare data breach made history for all the wrong reasons. From the 2.2 million Iowans whose sensitive data was exposed for criminals to exploit to the loss of critical care to the terrible financial burden foisted on Iowa hospitals and care facilities, this was a preventable debacle. And instead of owning up to it, Change kept Iowans in the dark for five months, critical time they could have used to protect their leaked data. I’m suing to stand up for Iowans’ rights, to hold Change Healthcare financially accountable, and to remedy their data security inadequacies so this never happens again.”
The lawsuit outlines several deficiencies within Change Healthcare’s system: outdated IT infrastructure, inadequate response to the breach, delays in notifying consumers, widespread operational disruptions, and significant harm to patients’ sensitive data. The Attorney General’s Office is seeking a court order requiring the company to implement stronger data security measures, restore any ill-gotten gains, and pay penalties and damages for harm caused to Iowa residents and healthcare providers.
The case underscores growing concerns about cybersecurity in the healthcare sector and highlights the potential consequences of delayed responses to data breaches. Observers will be watching closely as the legal process unfolds.
