CareFirst BCBS Sues Change Healthcare Over February 2024 Ransomware Attack
CareFirst BlueCross BlueShield has filed a lawsuit against Change Healthcare in response to the February 2024 ransomware attack that caused extensive disruption to Change Healthcare’s services. CareFirst BlueCross BlueShield provides health plans to 3.5 million individuals and groups in Maryland and the Washington D.C. metropolitan area and has a 75% share in the Federal Employees Health Benefits Program, which has more than 626,000 members.
The CareFirst lawsuit was filed a year to the day after the ransomware attack by the ALPHV/BlackCat ransomware group, which gained access to Change Healthcare’s network using compromised credentials for a Citrix portal that did not have multifactor authentication enabled. The ransomware affiliate exfiltrated a huge amount of data from the network, including the protected health information of an estimated 190 million individuals.
The outages of Change Healthcare’s systems lasted for weeks, causing massive disruption to healthcare providers that relied on its clearinghouse services. Unable to bill for services and get paid, many providers experienced significant financial difficulty. Under pressure to help the affected clients, Change Healthcare’s parent company, UnitedHealth Group, issued more than $9 billion in loans, with the cost of the attack now standing at more than $3 billion. More than a year after data was exfiltrated from its network, some affected individuals are only just being notified that their data has been stolen.
Many lawsuits have already been filed against Change Healthcare by affected providers and patients and settlement discussions to resolve the consolidated lawsuit are progressing. The state of Nebraska also sued Change Healthcare last year for alleged violations of consumer protection and data privacy laws. Now CareFirst is taking legal action to recover losses incurred as a result of the ransomware attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CareFirst said the attack and prolonged outage forced it to reallocate $25 million in investment funds, which were provided as loans to providers facing financial difficulties due to the ransomware attack. As with other lawsuits against Change Healthcare, CareFirst claims that insufficient cybersecurity measures had been implemented to protect its network, even though there was a high risk of being targeted in a cyberattack. Had appropriate cybersecurity measures been implemented, including multi-factor authentication on Internet-facing systems, the ransomware attack could have been prevented. The lawsuit seeks $900,000 in damages, interest, and attorneys’ fees.
