Changeflow GovPing Courts & Legal Iowa AG v. Change Healthcare - Data Breach
Urgent Enforcement Added Final

Iowa AG v. Change Healthcare - Data Breach

Favicon for www.iowaattorneygeneral.gov AG: Iowa Newsroom
Filed March 31st, 2026
Detected April 1st, 2026
Email

Summary

Iowa Attorney General Brenna Bird filed a lawsuit against Change Healthcare for violations of Iowa's Consumer Fraud Act and Personal Information Security Security Breach Protection Act. The February 2024 data breach exposed personal information of approximately 2.2 million Iowans, including Social Security numbers, driver's license numbers, health insurance information, and medical records. The lawsuit seeks injunctive relief for stronger data security measures, restoration of ill-gotten gains, and payment of penalties and damages.

View original document View source feed page

What changed

The State of Iowa filed enforcement action against Change Healthcare for a data breach that began on February 11, 2024, and remained undetected for 10 days while hackers created privileged administrator accounts, installed malware, and stole sensitive data including Social Security numbers, driver's license numbers, health insurance information, medical records, and billing details. Change Healthcare failed to notify affected Iowans for five months after discovering the breach, causing widespread disruption to Iowa's healthcare system including provider payment failures and patient treatment delays.

Healthcare providers and technology companies handling sensitive consumer data should review this enforcement action when assessing their own data security practices and breach notification procedures. The AG's office is seeking court orders requiring stronger data security measures and restoration of ill-gotten gains. Organizations should ensure their incident response plans include timely breach notification compliance and adequate cybersecurity infrastructure. This action underscores state enforcement priority on data privacy violations affecting large populations.

What to do next

  1. Review and strengthen data security infrastructure to prevent unauthorized system access
  2. Audit breach detection and notification procedures to ensure timely consumer alerting
  3. Review incident response plans for healthcare system interdependencies

Penalties

Penalties and damages sought under Iowa's Consumer Fraud Act and Personal Information Security Breach Protection Act; specific dollar amounts not stated in filing

Source document (simplified)

Home | News Releases | Attorney General Brenna Bird Announces Lawsuit against Change Healthcare for Catastrophic Data Breach

March 31, 2026

Attorney General Brenna Bird Announces Lawsuit against Change Healthcare for Catastrophic Data Breach

DES MOINES —Attorney General Brenna Bird announced today she has filed a lawsuit against Change Healthcare for violations of Iowa’s Consumer Fraud Act and Personal Information Security Breach Protection Act, stemming from a large-scale data breach that affected nearly 2.2 million Iowans.

The breach began on February 11, 2024, and was not discovered until February 21, 2024. For ten days, a criminal hacker navigated Change’s systems undetected, creating privileged administrator accounts, installing malware, and stealing sensitive data. The stolen data included Social Security numbers, driver’s license numbers, health insurance information, medical records, billing details, and more.

When it finally recognized the breach, Change took its systems offline causing widespread disruption to Iowa’s healthcare system. Providers were forced to deliver care without receiving payment for insurance claims, while others incurred significant costs switching to a new claims processor. Patients faced delays in receiving medications and treatments.

Change then delayed notifying affected Iowans, doing so only after five months.

"The Change Healthcare data breach made history for all the wrong reasons,” said Attorney General Bird. “From the 2.2 million Iowans whose sensitive data was exposed for criminals to exploit to the loss of critical care to the terrible financial burden foisted on Iowa hospitals and care facilities, this was a preventable debacle. And instead of owning up to it, Change kept Iowans in the dark for five months, critical time they could have used to protect their leaked data. I’m suing to stand up for Iowans’ rights, to hold Change Healthcare financially accountable, and to remedy their data security inadequacies so this never happens again.”

The lawsuit exposes the following deficiencies in Change Healthcare’s system:

  • Outdated IT systems
  • Inadequate response to the breach
  • Delays in notifying consumers of the breach
  • Widespread operational disruptions
  • Financial and operational burdens
  • Significant harm to Iowa patients' sensitive data and information The Attorney General’s Office asks the Court to order the company to implement stronger data security measures, restore ill-gotten gains, and pay penalties and damages for the harm caused to Iowa residents and healthcare providers.

Read the full petition here.

For More Information:

Jen Green

jen.green@ag.iowa.gov

« Back

Named provisions

Consumer Fraud Act Personal Information Security Breach Protection Act

Related changes

Favicon for www.iowaattorneygeneral.gov Iowa AG Leads 24 States Against Massachusetts Pork Ban at Supreme Court
Priority review Mar 24, 2026 AG: Iowa Newsroom Courts & Legal
Favicon for www.iowaattorneygeneral.gov Iowa AG wins Live Nation antitrust suit, $3M settlement
Priority review Mar 18, 2026 AG: Iowa Newsroom Courts & Legal
Favicon for www.iowaattorneygeneral.gov Iowa AG Warns of Imposter Scams and FTC Impersonation
Priority review Mar 18, 2026 AG: Iowa Newsroom Courts & Legal
Favicon for cnpd.public.lu Guide on Recording Workplace Meetings Legally
Routine Apr 01, 2026 Luxembourg CNPD News Data Privacy & Cybersecurity
Favicon for cnpd.public.lu CNPD Sponsors EschTechWeek 2026 AI Event in Esch-sur-Alzette
Routine Apr 01, 2026 Luxembourg CNPD News Data Privacy & Cybersecurity
Favicon for cnpd.public.lu European Complaint Handling Workshop on GDPR Cooperation
Routine Apr 01, 2026 Luxembourg CNPD News Data Privacy & Cybersecurity

Source

Favicon for www.iowaattorneygeneral.gov
AG: Iowa Newsroom iowaattorneygeneral.gov/newsroom
Courts & Legal
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Iowa AG
Filed
March 31st, 2026
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Healthcare providers Technology companies Consumers
Industry sector
6211 Healthcare Providers 5112 Software & Technology
Activity scope
Healthcare Data Breach Consumer Notification Data Security
Threshold
Approximately 2.2 million Iowans affected
Geographic scope
US-IA US-IA

Taxonomy

Primary area
Data Privacy
Operational domain
Legal
Topics
Healthcare Consumer Protection Cybersecurity

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer & Competition 1 Consumer Protection 44 Courts & Legal 360 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 107 Environment 85 Government & Legislation 297 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 113 Legal & Courts 1 Pharma & Drug Safety 103 Securities & Markets 104 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Courts & Legal alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when AG: Iowa Newsroom publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.