Legal.io
May 09, 2024

State Attorneys General Demand Enhanced Data Privacy Measures After Healthcare Cyberattack

Change Healthcare suffered a devastating ransomware attack earlier this year, forcing it to shut down its systems, leading UnitedHealth Group to pay a $22M ransom.

State Attorneys General Demand Enhanced Data Privacy Measures After Healthcare Cyberattack

On February 21, 2024, Change Healthcare, the largest healthcare payment system in the United States, announced that it had been targeted in a ransomware attack. This attack resulted in its systems shutting down. The American Hospital Association (AHA) characterized it as “the most significant and consequential cyberattack on the U.S. healthcare system in American history,” with an AHA survey showing more than 90% of hospitals reporting some financial impact.

The attack has crippled Change Healthcare, a company that provides a widely used program for healthcare providers to manage customer payments and insurance claims. The company has taken most of its systems offline to prevent the attack from spreading. The outage has been devastating for small and midsize healthcare providers.

$22M Ransom Paid in Response

In response to the attack, UnitedHealth Group, the parent company of Change Healthcare, paid a suspected ransom of $22M via Bitcoin to a digital-asset wallet associated with Russian “cybersecurity threat actor ALPHV/Blackcat.” UnitedHealth Group CEO Andrew Witty called it “one of the hardest decisions I’ve ever had to make.”

The recovery process is underway. Starting on March 7, 2024, UnitedHealth has publicly announced and updated timelines to restore key Change Healthcare systems. Most recently, on April 22, 2024, the company stated that while UnitedHealth had identified some Protected Health Information (PHI) and Personally Identifiable Information (PII) among the data accessed in the attack, it had not seen any evidence of extraction of certain especially-sensitive materials.

22 Attorneys General Call for Further Action

On April 25, 2024, the attorneys general of 22 states issued a letter encouraging UnitedHealth Group and its subsidiary, Change Healthcare, to take additional steps to respond to the massively disruptive cyberattack. The broad, bipartisan group of signatories reflects both the scale of the attack’s impact and its implications for the priorities of state attorneys general—from healthcare regulation to data privacy.

The attorney general coalition, led by Minnesota Attorney General Keith Ellison, deemed the UnitedHealth and Change Healthcare response to the attack as “inadequate.” The bipartisan group of attorneys general—including those from California, New York, Massachusetts, Nebraska, South Dakota, and Utah—requested several specific actions, including developing a dedicated complaint resolution mechanism for state agency complaints and a helpline for affected providers and pharmacies to resolve questions or affected claims.

The letter also urged UnitedHealth Group and Change Healthcare to engage in further engagement with those entities most likely to be impacted by the changes and a “comprehensive impact analysis” before making a final decision on the scope of each specific change and the best means of implementing it.

The Implications of the Cyberattack on the Healthcare Industry

The cyberattack on Change Healthcare has brought to light several key implications for the healthcare industry and beyond.

Firstly, it has exposed the vulnerability of the healthcare system to cybercrime. The attack has shown how a single cyberattack can disrupt the operations of healthcare providers, affecting their ability to provide care to patients. This has underscored the need for robust cybersecurity measures within the healthcare industry.

Secondly, the attack has highlighted the importance of data privacy. With the breach of Change Healthcare’s systems, sensitive patient data was potentially exposed. This has sparked discussions about the need for stronger data privacy protections and regulations.

The attack has raised questions about third-party risk management. Change Healthcare, as an intermediary between healthcare providers, patients, and payers, plays a crucial role in the healthcare payment system. The disruption of its services due to the cyberattack has shown the risks associated with relying on third parties for essential services.

The call to action from the 22 state attorneys general has underscored the role of regulatory bodies in ensuring the security and privacy of data. It has shown that regulatory bodies are prepared to step in and demand action when companies fail to adequately protect their systems and data.

GovernmentPrivacy

Customer Stories

See how leading enterprise in-house teams have scaled smarter with Legal.io's high-caliber flex talent.

Plaid
How Plaid used Legal.io for Flexible, Cost Effective Legal Talent

FINANCE / ENTERPRISE

Medallia
How Medallia Managed Legal Overflow and Accelerated Deals with Legal.io

SAAS / ENTERPRISE

Verily
How Verily Addressed High-Volume Commercial Counsel Needs with Legal.io

HEALTHCARE / ENTERPRISE

Zoom
How Zoom Streamlined Legal Operations with Flexible Staffing

TECHNOLOGY / ENTERPRISE

More from Legal.io

Advanced Parole or H-1B?
Advanced Parole or H-1B?

It is a stressful, but rewarding, time when a noncitizen finally begins their adjustment of status process to obtain a green card.

CriminalImmigration
Aug 19, 2015
Read More
CIR's Startup Entrepreneur Visa
CIR's Startup Entrepreneur Visa

The discussion and debate around the proposed Immigration Reform bill continues.

Immigration
Aug 19, 2015
Read More
Legal Insights
California’s February 2025 Bar Exam Sees Record-High 56% Pass Rate

The February 2025 California bar exam saw a record 56% pass rate, aided by a Supreme Court-ordered score adjustment and bonuses for prior test participants.

May 05, 2025
Read More
Legal Insights
Orbital Raises $60 Million To Scale AI For Real Estate Legal Work

Orbital has closed a $60M Series B led by Brighton Park Capital, with backing from RELX’s venture arm and The LegalTech Fund, as it expands in the U.S.

Jan 28, 2026
Read More
Legal.io Newsletter - June 3, 2022
Legal.io Newsletter - June 3, 2022

Published weekly on Friday, the Legal.io Newsletter covers the latest in legal, talent & tech.

Legal OperationsTechnology
Jun 03, 2022
Read More
Ready to hire?

Schedule a free consultation to discuss your hiring needs.

Schedule Call
Free 15-min consultation
Legal.io Platform
5 star reviews
Hiring made smarter

Easy-to-use platform for hiring legal talent, managing spend, and optimizing your panel — plus an average savings of 50%.

Need Immediate Help?

Submit a hiring request and let our experts handle the entire process for you.

Submit Hiring Request