Topics
Latest
AI
Amazon
Image Credits:Patrick Sison / AP
Apps
Biotech & Health
Climate
Image Credits:Patrick Sison / AP
Cloud Computing
DoC
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
Gaming
Government & Policy
ironware
layoff
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
surety
Social
quad
Startups
TikTok
Transportation
Venture
More from TechCrunch
event
Startup Battlefield
StrictlyVC
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
The U.S. state of Nebraska has sued the wellness tech giant Change Healthcare over a serial publication of supposed surety failings that resulted in a diachronic data breach exposing the sore health information of at least 100 million Americans .
Ina complaint filed this week , Nebraska ’s attorney general Mike Hilgers claims UnitedHealth - possess Change Healthcare flunk to follow up proper security measures , direct to what he describes as a “ historic ” data break in terms of wallop and order of magnitude .
This amount after it wasrevealed in October that more than 100 million Americanshad their sensitive medical datum stolen during a February ransomware attack on Change Healthcare . This information included personal information such as addresses and phone number ; health data including diagnoses , medications , and treatment program ; and financial and banking data . Change Healthcare continues to notify affected individuals about the data point breach , and the last number is anticipate to be mellow than 100 million .
Hilgers said in his ill that Change Healthcare ’s “ unsuccessful person to implement basic certificate protection ” exacerbate the extent of the cyberattack , which wasattributedto the Russian - talk ALPHV ransomware gang . The complaint aver that the health tech giant had poorly segmented IT system that allowed the hackers to travel freely between waiter , and that Change Healthcare had failed to apply multi - factor authentication on its systems , which mean they could be accessed with just a username and password .
The complaint also reveals some previously unreported information about the incident , let in new detail demonstrate that the hackers gain access to Change Healthcare ’s meshwork using the username and password of a “ small - level client bread and butter employee , ” which Hilgers said was posted to a Telegram group known for selling stolen credentials .
With access to this “ basic , user - story ” account , which did not have administrator access , Hilgers ’ complaint alleges that hackers were capable to break into the waiter that host Change ’s medication management software , SelectRX . From there , the hackers created privileged accounts with decision maker capability , include the ability to access and delete all files .
“ For over nine day , the hacker navigated Change ’s system undetected , make privileged administrator accounts , installing malware , and exfiltrating terabytes of tender data , ” the ailment order , add that the attack was only detected when files were encrypted , lock out the company from its own data .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
Hilgers is also process Change Healthcare over its aver unsuccessful person to advise affected individuals about the datum breach , which he allege touch on at least 575,000 Nebraskans . Hilgerssays the country published its own noticealerting house physician to the breach because Change Healthcare still had not provided poster to those involve until some five months after the cyberattack .
“ As of the particular date of this complaint , the State of Nebraska believes that Defendants have still fail to provide written bill to many affected Nebraskans of the rupture , leave citizen more vulnerable to exploitation of the sensitive personal financial , wellness , and identifying information , ” the complaint says .
The Nebraska attorney full general is ask a courtyard to order Change Healthcare to pay damages “ for the harm get to Nebraska residents and healthcare providers , ” which Hilgers says were forced to deliver care without receiving payment for insurance claims .
The incident also caused widespread operable hoo-ha , leaving patients without necessary medications and treatments .
UnitedHealth voice Katherine Wojtecki secern TechCrunch : “ We believe this case is without virtue and we intend to represent ourselves vigorously . ” The company reiterate in its instruction what it told TechCrunch in July , that Change Healthcare ’s review of the stolen datum was “ in its last stages . ”
