An insurance carrier that paid a policyholder's losses from the February 2024 Change Healthcare attack has gone to federal court to recover those costs directly from the vendor, it says, that caused them.
What happened
Allied World Insurance Company filed a complaint on May 14, 2026, in the US District Court for the District of Minnesota seeking to recover more than $1 million from Change Healthcare following the February 2024 ransomware attack. According to Insurance Business Magazine, the lawsuit is a subrogation action. Allied World paid out a claim to its insured, Avesis, an Arizona-based dental insurance company, and now steps into Avesis's legal position to pursue Change Healthcare directly. Under a Business Services Payer Agreement, Change Healthcare handled printing and mailing of provider termination letters, invoices, member ID cards, Medicare denial notices, explanations of benefits, and utilization management letters for Avesis, as well as running the electronic claims clearinghouse, moving claims and payments between providers and the dental plan. When Change Healthcare took its systems offline on February 21, 2024, those services stopped suddenly and without warning. Avesis was forced to retain alternate vendors or bring services in-house, incurring costs exceeding $1 million.
Going deeper
The complaint alleges the attack was "entirely foreseeable and preventable." Allied World's filing describes how the breach began, drawing on congressional testimony: the username and password of a low-level Change Healthcare customer support employee were posted in a Telegram group advertising stolen credentials. The account had the authority to create accounts with administrative privileges and was not protected by multi-factor authentication. The filing alleges attackers used those credentials to move through Change Healthcare's systems undetected, exfiltrate terabytes of data, and deploy ransomware. Allied World asserts a single-count breach-of-contract claim, arguing that Change Healthcare failed to deliver contracted services, did not follow the agreement's provisions on suspension or termination before pulling services, failed to provide contracted remedies, and failed to maintain adequate safeguards required under the agreement, including the Business Associate Agreement. The case has been filed within MDL 3108, the Minnesota MDL centralizing Change Healthcare-related litigation before Judge Donovan W. Frank.
What was said
Allied World's complaint, as reported by Insurance Business Magazine, states that Change Healthcare "intentionally made the applications and services it provided to its customers inoperable" and alleges the company "was compelled to stop providing such services as a result of its own gross negligence, recklessness, and willful misconduct in the securing of their own computer systems." Change Healthcare has not yet filed a response, and no court has ruled on the allegations.
In the know
The Allied World complaint is one of several major developments still unfolding from the February 2024 attack. OCR opened an investigation into Change Healthcare's HIPAA compliance shortly after the breach and has not yet announced findings or penalties, though the agency has indicated high-impact breaches are a priority. UnitedHealth Group, which owns Change Healthcare, disclosed total cyberattack response costs exceeding $2.3 billion by early 2026, according to Cybersecurity Dive. The company is also under a separate DOJ antitrust investigation into the relationship between UnitedHealthcare and Optum, as confirmed by Healthcare Dive. Settlement discussions in MDL 3108 were ordered by the court in early 2025, with magistrate-supervised negotiations between patient class action plaintiffs and defendants ongoing. Change Healthcare has not yet filed a response to the Allied World complaint, and no court has ruled on the allegations.
The big picture
The Change Healthcare attack set a benchmark that reshaped how healthcare organizations think about vendor dependency. A single vendor processing 15 billion transactions annually and touching one in every three US patient records created a single point of failure that, when it went offline, disrupted pharmacies, hospitals, and insurers simultaneously for weeks. The Allied World subrogation lawsuit captures what that dependency actually costs downstream: a dental insurer forced to absorb over $1 million in operational costs when a vendor it relied on for core administrative functions simply stopped working. The breach also showed that a business associate agreement is only as useful as the security standards it requires and the remedies it provides when those standards are not met. According to the Verizon 2026 Data Breach Investigations Report, 32% of healthcare breaches now involve third parties, up 60% year over year, making vendor contract terms and security verification requirements the most consequential gap in healthcare's current compliance posture.
FAQs
What is subrogation, and why does it allow an insurer to sue a vendor?
Subrogation is a legal mechanism that allows an insurer who has paid a policyholder's loss to step into that policyholder's legal position and pursue recovery from the party responsible for the loss. Allied World paid Avesis's costs, and now pursues Change Healthcare in Avesis's place for the same amount.
What did the complaint say about how the breach started?
The filing drew on congressional testimony to describe the entry point: a low-level customer support employee's credentials appeared in a Telegram group advertising stolen logins. The account could create admin-level accounts and lacked multi-factor authentication, allowing attackers to access and move through Change Healthcare's systems without triggering alerts.
What is MDL 3108, and what types of cases does it include?
MDL 3108 is the multidistrict litigation in the US District Court for the District of Minnesota that centralizes all federal lawsuits related to the Change Healthcare ransomware attack. It includes consumer class actions, healthcare provider business interruption claims, and now insurer subrogation actions, such as Allied World's.
What does this lawsuit mean for how healthcare organizations should structure vendor contracts?
The Allied World complaint details specific contractual provisions that Avesis claims Change Healthcare violated: suspension and termination notice requirements, contracted-for remedies, and security safeguards outlined in the Business Services Payer Agreement. Healthcare organizations should ensure that vendor contracts include enforceable security standards, specific breach-notification timelines, and remedies for service disruption caused by the vendor's own security failures.
Farah Amod : February 28, 2026
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
