Connecticut Attorney General William Tong urged residents to enroll in free credit monitoring and identity theft protection following the Change Healthcare cyberattack in February 2024, which exposed sensitive health data. The breach potentially impacted up to one-third of Americans, but Change Healthcare has failed to provide individual notice to affected consumers. The AG joined other attorneys general in April 2024 to demand that UnitedHealth Group take more meaningful action to protect those harmed.
In-house legal teams should immediately review all Business Associate Agreements (BAAs) under HIPAA and vendor contracts with Change Healthcare (or its parent UnitedHealth Group) where health data is processed, stored, or transmitted. Specific clauses to scrutinize include: data breach notification timelines and methods (given the failure to provide individual notice), indemnification provisions for breach-related liabilities, mandatory cybersecurity standards and incident response obligations, audit and oversight rights, and termination clauses for non-compliance. Contracts may need amendments to enforce stricter notification deadlines (e.g., within 72 hours), require provision of free credit monitoring for affected individuals, mandate enhanced security controls like encryption and multi-factor authentication, and clarify liability allocation for breaches involving protected health information.
Entity
Change Healthcare
Industry
Healthcare"Change Healthcare, a unit of UnitedHealth, is the nation’s biggest electronic data clearinghouse."
"Data breaches involving PHI are required to be reported to the U.S. Department of Health & Human Services - Office for Civil Rights (hhs.gov) by HIPAA-covered entities."
"The February cyberattack interrupted operations for thousands of doctors’ offices, hospitals, and pharmacies. It also resulted in Americans’ sensitive health and personal data being leaked onto the dark web - a hidden portion of the Internet where cyber criminals buy, sell, and track personal information."
"However, Change Healthcare has not yet provided individual notice to consumers."
"In April, Attorney General Tong joined other attorneys general in sending a letter to UnitedHealth Group, Inc. — the nation's largest health insurer and the parent company of Change Healthcare — urging the corporation to take more meaningful action to better protect providers, pharmacies, and patients harmed by the recent breach."
On May 11, 2026, Connecticut Attorney General William Tong led a bipartisan coalition of 21 attorneys general in submitting a comment letter to the U.S. Food and Drug Administration (FDA) urging the agency to abandon draft guidance that would ease approvals for flavored e-cigarette products. The coalition argues the guidance ignores evidence that flavored e-cigarettes disproportionately drive youth addiction and that FDA has failed to enforce existing authorization requirements for e-cigarette products. The letter references past tobacco and e-cigarette enforcement actions, including the 1998 tobacco master settlement agreement and the 2022 $438.5 million settlement with JUUL Labs.
Connecticut’s legislature passed House Bill 5312, creating new civil enforcement mechanisms for deepfake digital sexual assault, including unauthorized dissemination of synthetically created intimate images and AI-generated child pornography. The bill establishes a private right of action for victims and empowers the Connecticut Attorney General to pursue civil injunctions and penalties against abusers and platforms hosting illegal content. This builds on prior Connecticut laws criminalizing unauthorized intimate image dissemination.
Connecticut Attorney General William Tong praised final passage of House Bill 5312, which creates new civil enforcement mechanisms for deepfake digital sexual assault. The legislation allows the AG to pursue civil injunctions and penalties against platforms that disseminate illegal synthetic intimate images, including AI-generated child pornography, and establishes a private right of action for victims. The bill builds on prior Connecticut laws criminalizing unauthorized dissemination of intimate images.
$300K
Connecticut Attorney General William Tong announced a settlement with international trade platform Made-in-China to cease all U.S. sales of unlawful 'research grade' GLP-1 weight loss drugs following an investigation into direct sales to consumers without prescriptions or medical oversight. The settlement prohibits the platform from hosting GLP-1 sales to U.S. customers, requires a monitoring system to remove non-compliant listings, and imposes a $300,000 penalty suspended after an initial $30,000 payment. Additional settlements were announced with Radiance Medspa and Advanced Medical Weight Loss over compounded non-FDA approved GLP-1 drugs.
Connecticut Attorney General William Tong issued a statement on May 1, 2026, announcing the final passage of bipartisan legislation targeting youth social media addiction and artificial intelligence harms. The legislation imposes new obligations on social media companies regarding minor account settings, parental consent, and reporting, as well as requirements for AI chatbot operators and employers using automated decision tools. The statement also references ongoing enforcement actions against Meta and TikTok for allegedly designing addictive platform features for youth.
Connecticut Attorney General William Tong issued a statement on May 1, 2026, following final passage of bipartisan legislation to combat youth social media addiction and regulate artificial intelligence harms. The legislation imposes new requirements on social media companies regarding minor users, including parental consent for addictive algorithms, default privacy settings, and annual reporting obligations. It also establishes rules for AI chat bots and automated employment decision tools, including disclosure requirements and self-harm detection protocols.