In February of 2024, Change Healthcare (Change), a healthcare payment processing company, sustained a data breach. This data breach was no ordinary data breach (to the extent a data breach can be called “ordinary”). Change Healthcare, a subsidiary of health plan UnitedHealth Group, serves as a healthcare clearinghouse for approximately 15 billion annual medical claims.
Change processes approximately four out of ten health claims. The damage caused by the cyberattack is vast: UnitedHealth Group (United) CEO Andrew Witty, testifying before Congress in the spring of 2024, revealed that the hackers responsible for the cyberattack potentially stole about a third of Americans’ PHI and personally identifiable information, including medical records, test results, and Social Security numbers.
In the wake of the attack, several class action lawsuits were filed against Change and United. In June 2024, these lawsuits were consolidated into a single class action in Minnesota federal district court. Details of the Change Healthcare lawsuit are covered below.
Change Healthcare Class Action Lawsuit: What Are the Allegations?
After the cyberattack, 19 lawsuits from consumers and 30 from healthcare providers were filed in federal trial courts around the country. To expedite the litigations and to streamline their administration, the lawsuits were consolidated into a single Change Healthcare class action lawsuit in Minnesota, where UnitedHealth Group is headquartered.
The plaintiffs in the Change Healthcare class action lawsuit include consumers alleging compromise of their protected health information (PHI) and other personal information. The plaintiffs in the Change Healthcare class action lawsuit also include providers who allege that payment systems were unavailable due to the data breach. As a result, the providers could not submit insurance claims and receive payments. A number of providers have alleged that as of September 2024, they are still waiting for payment on their claims.
The lawsuit heavily focuses on what Change Healthcare did, or failed to do, that resulted in the damages the plaintiffs claim entitlement to. The plaintiffs allege that Change’s remote access servers did not have proper authentication controls, such as multi-factor authentication (MFA). MFA requires multiple forms of user verification before user access is granted to a server. The plaintiffs might prevail in the Change Healthcare class action lawsuit if the plaintiffs can demonstrate that the failure to implement MFA did not comply with the law, and that the lack of MFA was the legal cause of their damages.
Change Healthcare Class Action Lawsuit: Fighting an Uphill Battle?
Change Healthcare has already provided ample lawsuit fodder for the plaintiffs. During one of his Congressional hearings, CEO Witty revealed, “Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. For some reason, which we continue to investigate, this particular server did not have MFA on it.”
Further, plaintiffs have alleged that when the attack commenced, Change Healthcare was still using 40-year-old legacy software for payment processing. The combination of the antiquated software and the absence of MFA allowed the hackers to gain easy network access.
Plaintiffs allege that once the hackers, the ALPHV/Blackcat ransomware group, gained access to the network, open hunting season commenced – the hackers freely rummaged through the network to search for and locate key data and access. Then, having successfully exfiltrated sensitive data, the attackers deployed ransomware that disrupted providers’ access to Change’s services for several weeks.
The alleged ransomware demand here was not for dollars and cents but for bitcoins, which Change Healthcare is alleged to have paid in futility, in early March. Change allegedly forked over 350 bitcoins – roughly 22 million dollars. In return, Change was stiffed.
Then, allegedly, a new wrinkle developed. A fairly new ransomware group known as RansomHub issued a ransomware demand, noting that it had acquired the pilfered data from an ALPHV/Blackcat affiliate, and would, unless paid, leak the data. Allegedly, RansomHub made good on its promise, leaking files that included patient data.
On the plus side for the defendants, CEO Witty noted that after these events, UnitedHealth put MFA in place across all external-facing systems.
You can monitor Change Healthcare class lawsuit developments by clicking here.
How Compliancy Group Can Help
Compliancy Group’s healthcare compliance tracking solution, The Guard, contains a number of tools that HIPAA-covered entities, both small and large, can use to monitor their compliance with the HIPAA Security Rule. These tools include QuickStart guides, template policies, self-audits, and training, outlining the HIPAA Security Rule authentication requirements and other required technical safeguard measures. Additional features include an Asset Management tool, which allows users to indicate what security measures, including encryption, MFA, and strong passwords, they have implemented to secure protected health information. Users also get access to risk analysis resources, which they can utilize to monitor risks and vulnerabilities continuously.
