Dive Brief:
- Lawsuits related to the cyberattack at Change Healthcare are accumulating as the healthcare industry endures more than two weeks of disruptions due to the outage at the technology firm.
- At least six lawsuits seeking class-action status have been filed this month. Four were filed in the U.S. District Court for the Middle District of Tennessee where Change is based and two were in the U.S. District Court for the District of Minnesota where parent company UnitedHealth Group is headquartered.
- The suits allege the technology firm didn’t have reasonable cybersecurity measures in place to prevent a data breach, allowing criminals to potentially expose sensitive health and other personal information.
Dive Insight:
The outage at Change, which began on Feb. 21, is impacting the entire healthcare sector, hamstringing key pharmacy and revenue cycle operations.
Providers have reported challenges receiving payment from patients and insurers, verifying coverage, submitting prior authorization requests or exchanging clinical records.
Change processes 15 billion healthcare transactions annually and touches 1 in 3 patient records, according to a letter from the American Hospital Association.
Earlier this week, the CMS rolled out flexibilities that aim to assist providers with growing financial challenges due to the attack, but provider groups argued the sector needs more relief to mitigate the damage.
Some patients have also reported challenges receiving their prescriptions. In one lawsuit filed Tuesday in the Minnesota court, the plaintiff was unable to use his health insurance to fill two prescriptions and had to pay full price to receive his medications. Another suit filed in the Minnesota court alleged a patient faced challenges quickly accessing his prescription after the Change outage, potentially risking health impacts.
The suits filed in Tennessee name Change as the defendant, while those in Minnesota name UnitedHealth, insurer UnitedHealthcare, health services segment Optum and Change. They all argue the tech firm didn’t have adequate protections in place to safeguard sensitive health information.
One of the suits filed in Minnesota also cited communications from the ransomware group AlphV, or BlackCat, which UnitedHealth confirmed last week had taken responsibility for the attack. The suit said the group claimed to have exfiltrated data like medical records, payment information as well as patient contact details and Social Security numbers.
When reached for comment a UnitedHealth spokesperson said the company is “focused on the investigation and restoring operations at Change Healthcare.”
The lawsuits come as cyberattacks against the healthcare sector become more common — and so have lawsuits related to data breaches.
A Bloomberg Law analysis published last summer found the monthly average of new class actions filed over health data breaches through August of 2023 was nearly double the rate from the previous year.
