Pharmacy Association and 40 Providers Sue Change Healthcare Over Cyberattack
The National Community Pharmacists Association (NCPA) and more than three dozen healthcare providers in 22 U.S. states are suing Change Healthcare, Optum, and UnitedHealth Group over its February 2024 ransomware attack and data breach.
The Blackcat ransomware attack was discovered on February 21, 2024, when parts of Change Healthcare’s systems were encrypted. To contain the attack and prevent further unauthorized access, Change Healthcare took its systems offline, including the Change Healthcare platform that acts as a claims processing, revenue, and payment cycle management service that connects payers, providers, and patients. The platform and other offline Change Healthcare systems are relied upon by providers across the country and those systems touch the protected health information of 1 in 3 Americans. The platform remained offline for several weeks, and Change Healthcare still has not fully recovered from the attack. The HIPAA Journal has covered the Change Healthcare ransomware attack in detail here.
This single point of failure left the healthcare industry immobilized and the fallout from the attack has been immense. According to John Riggi, national advisor for cybersecurity and risk at the American Hospital Association (AHA), “this cyberattack has affected every hospital in the country one way or another.” Providers have had difficulty verifying patient eligibility, filing claims, and billing patients, leaving many unable to pay for essential supplies, rent/mortgages, and employee payroll due to the inability to get reimbursement from insurers. The problems continued for around four months with little in the way of financial support and many providers were pushed to the brink of closure.
Due to the uncertainty around the continuing outages, many healthcare providers were forced to incur additional costs switching to alternative software companies to help with claim submission and revenue and payment management.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The defendants were criticized for not providing adequate guidance to healthcare providers, and it took months for information to be released about the data breach. Under HIPAA, it is ultimately the responsibility of each affected covered entity to ensure that the breach is reported to regulators and individual notifications are mailed. At the time the lawsuit was filed, insufficient information had been provided to allow them to do that.
The lawsuit alleges fault for the cyberattack and data breach lies with the defendants and was borne of their carelessness. Change Healthcare’s services are vital to the entire healthcare industry, yet the defendants are alleged to have failed to implement reasonable security procedures and practices, failed to disclose material facts about deficient security protocols, and caused massive disruption by taking systems offline for months.
“As a result of Defendants’ actions, Plaintiffs and Class members did not receive the benefit of their bargain with Defendants and are not receiving the services that they have paid for. Furthermore, Plaintiffs and Class members have not received payments for their healthcare services or have received late payments depriving them of the time-value of money and loss of interest and have incurred extra costs from switching to another healthcare payment software,” explained the plaintiffs in the lawsuit. “And because Defendants do not have adequate redundancies, these consequences continue to harm Plaintiffs and Class members.”
The 140-page lawsuit names 40 healthcare providers and the National Community Pharmacists Association as plaintiffs and includes a nationwide class of similarly situated healthcare providers. The lawsuit asserts claims of negligence, negligence per se, breach of express contract, breach of implied contract, unjust enrichment, negligent interference with prospective economic advantage, and violations of California’s Unfair Competition Law, the Connecticut Unfair Trade Practices Act, the Illinois Consumer Fraud and Deceptive Trade Practices Act, New Hampshire’s Regulation of Business Practices for Consumer Protection, the New Jersey Consumer Fraud Act, the Tennessee Consumer Protection Act, and the Washington Consumer Protection Act.
The lawsuit seeks permanent injunctive relief to prohibit and prevent the defendants from continuing to engage in unlawful acts, omissions, and practices, an order from the courts to require the defendants to implement a long list of security measures, and awards of compensatory, consequential, general, statutory, and punitive/exemplary damages.
“UnitedHealth Group and its subsidiaries need to be held accountable for their lax security measures and for their failure to provide our members with adequate support and assurances to alleviate the financial losses our members suffered,” said NCPA CEO B. Douglas Hoey.
