Iowa AG files lawsuit against UnitedHealth Group

The AG is seeking financial damages, civil penalties, and improvements to UnitedHealth Group’s cybersecurity practices.

What happened

Iowa State Attorney General Brenna Bird recently filed a lawsuit on March 31st against UnitedHealth Group (UHG) and its business units Optum and Change Healthcare. The lawsuit claims that UHG violated a specific Iowa law, Iowa’s Consumer Fraud Act and Personal Information Security Breach Protection Act, and national laws, like violating HIPAA, delaying breach notifications, and more.

The lawsuit is seeking $40,000 in civil penalties per violation of Iowa consumer laws. Additionally, the lawsuit is seeking $5,000 for each violation of state consumer laws affecting older individuals. Lastly, the suit is seeking financial damages for individuals injured by the alleged violations of Iowa’s Personal Information Security Breach Protection Act.

The backstory

The lawsuit follows a huge ransomware attack that took place against Change Healthcare in 2024, impacting an estimated 193 million people in the US. Approximately 2.2 million Iowa residents were impacted. The incident resulted in a host of valuable data being stolen, including Social Security numbers, driver’s license numbers, health insurance information, and more. The attack was claimed by Russian-speaking ransomware gang BlackCat.

Outside of data being stolen, the incident also halted numerous business operations, leaving pharmacies and medical practices scrambling for months while the Change system was shut down.

What was said

AG Bird said, “This was a preventable debacle. And instead of owning up to it, Change kept Iowans in the dark for five months, critical time they could have used to protect their leaked data.”

Bird spoke specifically about how the event impacted Iowans, stating in the complaint, "Defendants' conduct caused direct and significant economic harm to Iowans and Iowa healthcare providers. The collapse of Change’s systems halted a significant number of insurance-related private healthcare transactions in the state…The harms flowing from this unprecedented failure reverberated throughout the Iowa healthcare system.”

In response, UHG issued a statement to Gov Info Security, refuting the claims. “We believe this lawsuit is without merit and we intend to defend ourselves vigorously.

The big picture

The Iowa lawsuit follows just one other that has been filed against UnitedHealth regarding the Change data breach. The other suit was filed by Nebraska AG Mike Hilgers in December 2025, and makes similar allegations. 22 state AGs have also formed a coalition demanding UHG assist organizations impacted by the attack and the disruptions that followed. Still, the possibility remains that other state AGs will similarly file lawsuits against UHG, especially depending on how the lawsuits from Iowa and Nebraska shake out.

Generally, lawsuits that follow data breaches take the form of class action suits; suits filed by the victims themselves, rather than government officials. Furthermore, those lawsuits generally settle. In this case, however, UHG appears prepared to defend themselves in trial, a decision usually made from a cost-benefit analysis. Most organizations choose to settle class action suits because the cost and uncertain outcome of a trial is too risky. In this case, UHG may believe meeting the terms of the suit would be too expensive. They may also have reason to believe that they can win the legal battle in court.

Whether the state AGs or UHG win these lawsuits could lay the groundwork for future legal and state responses to massive data breaches, which, although rare, are no longer completely uncommon. Other massive breaches, like the hack against Aflac (nearly 23 million victims), and Yale New Haven Health System (approximately 5.5 million victims) took place in 2025 and show that data breaches continue to be a top concern for healthcare companies.

FAQs

When will we know the results of the lawsuit?

Lawsuits like these can be a lengthy process, often lasting up to several years. Considering the vast amounts of data and organizations involved, and that UHG does not seem interested in reaching a settlement, the process will likely take some time.

Could an incident like the attack on Change Healthcare happen again?

Yes. With the increasing interoperability between healthcare providers and vendors like UHG, it’s possible that another massive data breach could take place. At the same time, the breach taught providers and cybersecurity experts many lessons about protecting data and preventing operational disruptions during attacks.