Attorney General Brenna Bird announced today she has filed a lawsuit against Change Healthcare for violations of Iowa’s Consumer Fraud Act and Personal Information Security Breach Protection Act, stemming from a large-scale data breach that affected nearly 2.2 million Iowans.
The breach began on February 11, 2024, and was not discovered until February 21, 2024. For ten days, a criminal hacker navigated Change’s systems undetected, creating privileged administrator accounts, installing malware, and stealing sensitive data. The stolen data included Social Security numbers, driver’s license numbers, health insurance information, medical records, billing details, and more.
When it finally recognized the breach, Change took its systems offline causing widespread disruption to Iowa’s healthcare system. Providers were forced to deliver care without receiving payment for insurance claims, while others incurred significant costs switching to a new claims processor. Patients faced delays in receiving medications and treatments.
Change then delayed notifying affected Iowans, doing so only after five months.
“The Change Healthcare data breach made history for all the wrong reasons,” said Attorney General Bird. “From the 2.2 million Iowans whose sensitive data was exposed for criminals to exploit to the loss of critical care to the terrible financial burden foisted on Iowa hospitals and care facilities, this was a preventable debacle. And instead of owning up to it, Change kept Iowans in the dark for five months, critical time they could have used to protect their leaked data. I’m suing to stand up for Iowans’ rights, to hold Change Healthcare financially accountable, and to remedy their data security inadequacies so this never happens again.”
The lawsuit exposes the following deficiencies in Change Healthcare’s system:
- Outdated IT systems
- Inadequate response to the breach
- Delays in notifying consumers of the breach
- Widespread operational disruptions
- Financial and operational burdens
- Significant harm to Iowa patients’ sensitive data and information
The Attorney General’s Office asks the Court to order the company to implement stronger data security measures, restore ill-gotten gains, and pay penalties and damages for the harm caused to Iowa residents and healthcare providers.
Read the full petition here.
