The lawsuit, filed in a Maryland state court in late February, alleges that the UnitedHealth Group subsidiary's cybersecurity standards were insufficient to prevent the attack. The Russian ransomware group responsible for the cyberattack used stolen credentials to remotely access a company portal that didn't have multifactor authentication. CareFirst is seeking $900,000 in damages, along with interest and attorney fees.