Nebraska Court Lets Suit Against Breached Health Care Systems Continue
A Nebraska state court allowed a lawsuit against three health care providers to continue, ruling the state's charges that the companies violated its consumer protection and data security laws were sufficient, the attorney general said Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Nebraska Attorney General Mike Hilgers (R) said the health data of nearly half the state's 2 million citizens was exposed in the February 2024 breach of Change Healthcare, UnitedHealth Group and Optum (see 2501270041). Nebraska filed the complaint in December 2024.
The suit accuses the health care companies of failing to implement proper security measures, putting the sensitive information at risk; delay in detecting the breach; and delays in notifying consumers, as it took the companies five months to begin informing those impacted.
Though Change Healthcare motioned to dismiss the complaint, Lancaster County District Court rejected the motion following arguments in June.
The state court Thursday found the complaint “contains extensive factual allegations to show both unreasonableness and unfairness in Defendants’ data security practices,” said Judge Susan Strong, in the order filed Nov. 10. Additionally, it “adequately alleged ongoing violations of the CPA and a risk of future harm.”
“The Court’s decision ensures we can continue pursuing accountability and promoting stronger protections for Nebraskans’ health information,” Hilgers said.