Industry - Data Breach
Executive Summary
Iowa's Attorney General filed a lawsuit against Change Healthcare following a February 2024 data breach that exposed sensitive information - including Social Security numbers, medical records, and health insurance details - of nearly 2.2 million Iowans. The breach went undetected for 10 days while hackers installed malware and stole data through a remote access portal lacking multifactor authentication, and the company waited five months to notify affected individuals. The lawsuit alleges vio...
What Happened
In February 2024, hackers breached Change Healthcare's systems through a remote access portal that lacked multifactor authentication, remaining undetected for 10 days while installing malware and stealing sensitive data. The breach exposed Social Security numbers, driver's license numbers, medical records, health insurance information, and billing details of approximately 192.7 million people nationwide, including nearly 2.2 million Iowans. Change Healthcare paid a $22 million ransom to the BlackCat ransomware group, but the affiliate retained copies of the data and attempted additional extortion through RansomHub. Iowa's Attorney General filed a lawsuit in March 2026 alleging violations of the state's Consumer Fraud Act and Personal Information Security Breach Protection Act, citing th...
Who Is Affected
Approximately 192.7 million individuals across the United States are affected, making this the largest healthcare data breach in U.S. history. In Iowa specifically, nearly 2.2 million residents had their sensitive personal and medical information exposed. Healthcare providers and patients also experienced significant operational impacts, including delayed insurance claim payments, medication access disruptions, and treatment delays while Change Healthcare's systems remained offline during the incident response.
Why It Matters
This breach represents the largest healthcare data exposure in U.S. history, demonstrating how a single point of failure in healthcare payment infrastructure can create cascading privacy and operational consequences across an entire national system. The breach occurred through a basic security failure - lack of multifactor authentication on a remote access portal - and the five-month notification delay prevented affected individuals from taking timely protective action. The lawsuit establishes potential legal precedent for holding healthcare data processors accountable for inadequate security measures and delayed breach notifications under state consumer protection laws.
What You Should Do
If you are among the affected individuals, enroll immediately in the complimentary credit monitoring and identity theft protection services offered by Change Healthcare before the August 26, 2025 deadline. Place fraud alerts with the three major credit bureaus and monitor your medical records, insurance statements, and financial accounts for unauthorized activity or fraudulent claims. Consider freezing your credit to prevent identity thieves from opening new accounts using your stolen information, and review your explanation of benefits statements carefully for medical services you did not receive.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources
- Change Healthcare faces lawsuit after data breach affecting 2.2M Iowans - KWWL
- Data Breach Alert: Edelson Lechtzin LLP Investigates CareCloud, Inc., Data Breach - morningstar.com
- VINDICATION: Major Consent Decree Blocks Social Media From Colluding With the Federal Government To Censor Americans - American Center for Law and Justice