Iowa Attorney General Brenna Bird announced earlier this week that the state has filed a lawsuit against Change Healthcare over a massive data breach that exposed the sensitive information of nearly 2.2 million Iowans. According to the lawsuit, the breach began on Feb. 11, 2024, and went undetected for 10 days, during which a hacker accessed the company’s systems. During that time, the attacker allegedly created administrator accounts, installed malware, and stole data, including Social Security numbers, driver’s license numbers, health insurance information, medical records, and billing details. When Change Healthcare discovered the breach on Feb. 21, it shut down its systems, triggering widespread disruptions across Iowa’s health care network. Providers were forced to continue treating patients without receiving insurance claim payments, while others incurred costs switching to new claims processors. Some patients also experienced delays in receiving medications and treatments. The lawsuit, filed under Iowa’s Consumer Fraud Act and Personal Information Security Breach Protection Act, also alleges the company delayed notification to affected residents for five months. The suit argues that Change Healthcare’s security was knowingly flawed, and Bird believes the company should be held liable for damages. She cites outdated IT systems, inadequate responses following the breach, notification delays, operational disruptions, and general harm to Iowans in the filing. Bird calls the breach “a preventable debacle” and said the state is seeking stronger data security measures, as well as financial penalties and damages. According to the American Hospital Association (AHA), an estimated 94 percent of hospitals nationwide experienced some impact from the data breach.
