Dive Brief:
- Lawsuits related to the cyberattack at Change Healthcare are accumulating as the healthcare industry endures more than two weeks of disruptions due to the outage at the technology firm.
- At least six lawsuits seeking class-action status have been filed this month. Four were filed in a Tennessee district court where Change is based and two were in Minnesota where parent company UnitedHealth Group is headquartered.
- The suits allege the technology firm didn’t have reasonable cybersecurity measures in place to prevent a data breach, allowing criminals to potentially expose sensitive health and other personal information.
Dive Insight:
The outage at Change, which began on Feb. 21, has had wide-ranging impacts on the healthcare sector, hamstringing key pharmacy and revenue cycle operations.
Providers have reported challenges receiving payment from patients and insurers, verifying coverage, submitting prior authorization requests or exchanging clinical records.
Change processes 15 billion healthcare transactions annually and touches one in every three patient records, according to a letter from the American Hospital Association.
Earlier this week, the CMS rolled out flexibilities that aim to assist providers with growing financial challenges due to the attack, but provider groups argued the sector needs more relief to mitigate the damage. Reporting from Stat News published last Thursday found the outage could last weeks.
Some patients have also reported challenges receiving their prescriptions. In one lawsuit filed Tuesday in Minnesota, the plaintiff was unable to use his health insurance to fill two prescriptions and had to pay full price to receive his medications. Another suit filed in Minnesota alleged a patient faced challenges quickly accessing his prescription after the Change outage, potentially risking health impacts.
The suits filed in Tennessee name Change as the defendant, while those in Minnesota name UnitedHealth, insurer UnitedHealthcare, health services segment Optum and Change. They all argue the tech firm didn’t have adequate protections in place to safeguard sensitive health information.
One of the suits filed in Minnesota also cited communications from the ransomware group AlphV, or Blackcat, which UnitedHealth confirmed last week had taken responsibility for the attack. The suit said the group claimed to have exfiltrated data like medical records, payment information as well as patient contact details and Social Security numbers.
When reached for commented a UnitedHealth spokesperson said the company is “focused on the investigation and restoring operations at Change Healthcare.”
The lawsuits come as cyberattacks against the healthcare sector become more common — and so have lawsuits related to data breaches.
A Bloomberg Law analysis published last summer found the monthly average of new class actions filed over health data breaches thus far in 2023 was nearly double the rate from the previous year.