Iowa AG Files Lawsuit Against Change Healthcare over 2024 Data Breach

Change Healthcare, a subsidiary of UnitedHealth Group, processes billions of medical transactions each year and is a critical hub for claims clearing, pharmacy benefit management, and revenue cycle services. The company already faced a high‑profile ransomware incident in 2023 that disrupted hospitals nationwide and prompted federal investigations. Those events highlighted the sector’s vulnerability to sophisticated cyber‑actors and raised questions about the adequacy of existing security controls. The latest Iowa lawsuit adds a new legal dimension to the ongoing scrutiny of the firm’s data‑protection practices.

The Iowa Attorney General’s office filed the complaint on March 31, alleging that Change Healthcare violated state consumer‑protection and data‑security statutes after a breach that began on Feb. 11, 2024. According to the filing, hackers created unauthorized administrator accounts, installed malware and exfiltrated data for ten days before detection. The compromised records include Social Security numbers, driver’s licenses, insurance details, medical histories and billing information for roughly 2.2 million Iowans. By framing the incident as a statutory violation, the suit seeks injunctive relief, civil penalties and restitution for affected residents.

The Iowa action marks only the second state‑level lawsuit against Change Healthcare, suggesting that regulators are moving from investigations to enforcement. Healthcare providers that rely on the platform may face higher compliance costs and could be compelled to renegotiate contracts to include stronger cybersecurity clauses. Industry observers expect the case to accelerate federal discussions about mandatory breach‑notification standards and may prompt other states to file similar actions. Ultimately, the lawsuit underscores the growing financial and reputational risks for health‑tech firms that fail to safeguard patient data.