Iowa Attorney General Sues Change Healthcare Over Data Breach Affecting 2.2 Million Iowans

What happened

Iowa Attorney General Brenna Bird filed a lawsuit against Change Healthcare over a large-scale data breach that affected nearly 2.2 million Iowans. The lawsuit alleges violations of Iowa’s Consumer Fraud Act and Personal Information Security Breach Protection Act. According to the attorney general’s office, the breach began on Feb. 11, 2024 and went undetected until Feb. 21, 2024. During that period, a criminal hacker moved through Change Healthcare’s systems, created privileged administrator accounts, installed malware, and stole sensitive data. The attorney general said the stolen information included Social Security numbers, driver’s license numbers, health insurance information, medical records, billing details, and other sensitive data. The lawsuit also says Change Healthcare waited five months before notifying affected Iowans.

Who is affected

The direct impact falls on nearly 2.2 million Iowa residents whose sensitive information was exposed in the breach. Iowa healthcare providers and care facilities were also affected after Change Healthcare took systems offline, forcing some providers to deliver care without payment for insurance claims and pushing others to absorb costs tied to switching claims processors.

Why CISOs should care

This case matters because it combines large-scale exposure of sensitive personal and medical information with extended operational disruption across the healthcare system. It also puts focus on breach detection gaps, delayed consumer notification, and the legal and financial consequences that can follow when a cyber incident affects both patients and provider operations.

3 practical actions

1. Review breach-detection coverage closely: Test whether attackers could create privileged administrator accounts, install malware, and move through critical systems without being detected for an extended period.
2. Treat notification timing as a core control: Make sure breach response plans can support timely consumer notification once sensitive personal and medical data is confirmed exposed.
3. Measure operational dependency before a shutdown: Assess how taking key systems offline would affect claims processing, provider cash flow, medication access, and continuity of care across the healthcare ecosystem.

For more news about incidents involving exposure of personal and medical information, click Data Breach to read more.