UHG faces legal storm over Change Healthcare data breach

Multiple class action lawsuits have raised negligence claims in light of the recent Change Healthcare data breach. 

What happened

Following the ransomware attack on Change Healthcare, multiple class action lawsuits have been initiated against UnitedHealth Group Incorporated and its subsidiaries, including UnitedHealthcare, Inc., Optum, Inc., and Change Healthcare Inc. (UHG). The lawsuits include Nicolas Keriazis v. UnitedHealth Group Incorporated, UnitedHealthcare Inc., Optum Inc., and Change Healthcare Inc., Robert Reese v. Change Healthcare Inc., and Robert Mackey v. United Health Group Incorporated; UnitedHealthcare Inc.; Optum Inc.; and Change Healthcare Inc.

Plaintiffs argue that the data breach, which potentially exposed the protected health information (PHI) of millions, was a direct result of UHG's failure to implement adequate cybersecurity measures.

The lawsuits, filed in Tennessee and Minnesota, claim violations of HIPAA, the Federal Trade Commission (FTC) guidelines, and allege negligence, negligence per se, breach of third-party beneficiary contract, and unjust enrichment among other charges. They seek compensatory, consequential, and general damages, alongside statutory damages that may be trebled, punitive or exemplary damages, and demand injunctive relief, including court-ordered improvements to UHG's cybersecurity infrastructure to prevent future breaches. 

The backstory

On February 21, 2024, Change Healthcare fell victim to a ransomware attack orchestrated by the Blackcat group, resulting in the theft of 6TB of data and significant disruptions to its operations. In the aftermath, allegations surfaced regarding a $22 million ransom payment made by Optum to secure the decryption keys and stolen data, a claim complicated by accusations of misappropriation by the Blackcat group and subsequent law enforcement intervention. Despite these complexities, UHG and its subsidiaries UnitedHealthcare, Optum, and Change Healthcare (collectively known as UHG) have not confirmed the full extent of the data breach or whether a ransom was paid, focusing instead on recovery efforts and ongoing investigations. 

Read more: Blackcat ransomware gang behind ongoing Change Healthcare disruption

What was said

In a letter sent by the AHA to the HHS regarding the implications of the Change Healthcare breach, the seriousness of the breach in hospital operations was stressed: “Change Healthcare’s downed systems also will have an immediate adverse impact on hospitals’ finances and the work they do every day to care for patients and communities. Their interrupted technology controls providers’ ability to process claims for payment, patient billing and patient cost estimation services. Any prolonged disruption of Change Healthcare’s systems will negatively impact many hospitals’ ability to offer the full set of health care services to their communities. After all, without this critical revenue source, hospitals and health systems may be unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services.”

In the Keriazis lawsuit, the complaint pointedly accuses UHG of negligence, stating, "The lawsuit claims the data breach was preventable, and was due to UHG implementing inadequate cybersecurity practices and policies that fell short of the industry-standard measures."

Why it matters

This breach represents a convergence of privacy, healthcare service delivery, and cybersecurity issues. Change Healthcare, a big player in the healthcare infrastructure, facilitates billing, claims processing, and health information exchanges for a vast network of providers, payers, and pharmacies. The cyberattack's disruption of these services has brought to light the vulnerability of healthcare operations to cybersecurity threats. It also shows how these threats can affect millions who depend on timely access to medications and medical services. This coupled with lawsuits allegation about the breach's preventability reveals the need for extensive accountability amongst service providers in the healthcare sector.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a class action?

A class action is a lawsuit filed by one or more individuals on behalf of a larger group of people who are similarly affected by the same issue.

What is a data breach?

A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

Who do we report breaches to?

Breaches should be reported to relevant authorities in the HHS.