A Nebraska court allowed the state AG’s lawsuit against Change Healthcare to proceed, stemming from the February 2024 ALPHV/BlackCat ransomware attack exposing health and personal data of an estimated 100 million individuals, signaling that state attorneys general are prepared to pursue healthcare entities for inadequate cybersecurity controls independent of federal enforcement. This is a governance and legal risk intelligence item, not an active exploitation alert; no new technical IOCs are associated with the ruling. Healthcare organizations handling PHI should audit MFA enforcement across remote access points (T1078 was the assessed initial access vector), document HIPAA Security Rule control implementation against NIST SP 800-66r2, and assess state AG enforcement exposure across jurisdictions where they hold resident data — the latter is a legal determination requiring qualified counsel.