Iowa AG Sues Change Healthcare Over 2024 Ransomware Attack

Iowa Attorney General Brenna Bird has filed a significant lawsuit against Change Healthcare, UnitedHealth Group, and Optum following a devastating ransomware attack that occurred in February 2024. This legal action represents one of the most high-profile state responses to a healthcare data breach in recent years.

What Happened

In February 2024, Change Healthcare suffered a major ransomware attack that disrupted healthcare operations across the United States. The cyberattack targeted Change Healthcare's systems, which process billions of healthcare transactions annually and serve as critical infrastructure for the U.S. healthcare system.

The attack caused widespread disruptions to:

• Prescription processing at pharmacies nationwide
• Claims processing for insurance companies
• Payment systems for healthcare providers
• Prior authorization processes for medical treatments

Iowa's lawsuit, filed in April 2026, alleges that the companies failed to adequately protect sensitive patient data and maintain proper cybersecurity measures as required under HIPAA regulations.

Who Is Affected

While the exact number of individuals affected remains undisclosed, the scope of this breach is potentially massive given Change Healthcare's role as one of the largest healthcare technology companies in the United States. The company processes:

• Over 15 billion healthcare transactions annually
• Data for approximately 1 in 3 patient records in the U.S.
• Payments for thousands of hospitals, clinics, and healthcare providers
• Prescription information for major pharmacy chains

Patients whose data may have been compromised include those who:

• Received medical care from providers using Change Healthcare systems
• Had prescriptions processed through affected pharmacy networks
• Had insurance claims handled by connected insurers

Breach Details

Breach Type: Hacking/IT Incident (Ransomware) Entity: Change Healthcare (Healthcare Technology Provider) Location: Systems nationwide Date of Attack: February 2024 Date of Lawsuit: April 2, 2026 Business Associate Involvement: No direct business associate breach reported

The ransomware attack represents a particularly dangerous type of cybersecurity incident where malicious actors encrypt an organization's data and demand payment for its release. These attacks have become increasingly common in healthcare due to:

• The critical nature of healthcare data
• Healthcare organizations' reliance on immediate data access
• Often inadequate cybersecurity infrastructure in healthcare settings

What This Means for Patients

The Iowa lawsuit highlights several critical concerns for patients:

Legal Accountability

State attorneys general are taking increasingly aggressive stances against healthcare organizations that fail to protect patient data. This lawsuit could set important precedents for:

• Corporate responsibility in healthcare cybersecurity
• State enforcement of privacy protections
• Financial penalties for HIPAA violations

Ongoing Privacy Risks

Even two years after the initial attack, patient data compromised in the breach may still pose risks:

• Identity theft using stolen personal information
• Medical identity theft for fraudulent healthcare services
• Financial fraud through compromised insurance information

Healthcare System Vulnerabilities

The breach exposed critical weaknesses in healthcare infrastructure that could affect future patient care and data security.

How to Protect Yourself

If you believe your information may have been affected by this breach, take these important steps:

Monitor Your Accounts

• Review medical bills and insurance statements for unauthorized charges
• Check credit reports regularly for suspicious activity
• Monitor bank accounts for unexpected transactions
• Watch for unusual medical communications from unknown providers

Verify Your Medical Records

• Request copies of your medical records annually
• Report discrepancies to your healthcare providers immediately
• Ensure accuracy of insurance beneficiary information

Enhance Your Security

• Use strong, unique passwords for all healthcare portals
• Enable two-factor authentication where available
• Be cautious about sharing personal health information
• Verify requests for medical information before responding

Stay Informed

• Follow official communications from affected organizations
• Monitor news updates about the lawsuit's progress
• Understand your rights under HIPAA and state privacy laws

Prevention Lessons for Healthcare Providers

This breach and subsequent lawsuit offer critical lessons for healthcare organizations:

Cybersecurity Investment

• Implement robust security measures including encryption and network monitoring
• Conduct regular security audits and penetration testing
• Train staff on cybersecurity best practices and threat recognition
• Develop comprehensive incident response plans

HIPAA Compliance

Under 45 CFR §164.306, covered entities must:

• Conduct regular risk assessments
• Implement appropriate safeguards for electronic protected health information (ePHI)
• Maintain documentation of security measures
• Report breaches within required timeframes per 45 CFR §164.408

Vendor Management

• Thoroughly vet technology partners and vendors
• Require strong cybersecurity standards in contracts
• Monitor vendor security practices regularly
• Ensure business associate agreements comply with HIPAA requirements

Legal Preparedness

• Understand state-specific privacy laws and enforcement trends
• Prepare for potential litigation following any data incident
• Maintain adequate cyber insurance coverage
• Work with legal counsel experienced in healthcare data protection

The Iowa lawsuit against Change Healthcare represents a significant escalation in state enforcement of healthcare privacy protections. As cyber threats continue to evolve, healthcare organizations must prioritize robust cybersecurity measures and HIPAA compliance to protect patient data and avoid similar legal consequences.

Learn how HIPAA Agent can help protect your practice.