Change Healthcare Data Breach Class Action Lawsuits Centralized

Almost 50 lawsuits filed against UnitedHealth Group after its Change Healthcare payment processing unit was hit with a cyberattack in February will be centralized in a Minnesota court.

This consolidation follows Change Healthcare's April request to consolidate at least 24 lawsuits in a Tennessee court, citing the need to conserve court resources and avoid conflicting rulings. However, the federal panel opted for Minnesota, UnitedHealth's base, as the more suitable venue.

On June 7, a federal panel centralized the 49 lawsuits that allege UnitedHealth Group’s Healthcare payment processing unit failed to protect the personal data of patients, and that the cyberattack led to healthcare providers not being paid for their work, Reuters reports.

This consolidation follows a wave of legal actions initiated in April, with at least two dozen class-action lawsuits filed against Change Healthcare. These lawsuits, filed by both consumers and healthcare providers, accused the company of negligence in its data security practices, leading to delays in payments and heightened risks of identity theft.

Thirty of the lawsuits were filed by healthcare providers who say they were unable to get paid when Change's system was locked down after the attack. The other 19 lawsuits were brought by individuals who said their private information was exposed in the breach. 

Ransomware Attack Cripples Change Healthcare

The attack is believed to have been carried out by the ransomware hacker group BlackCat, Reuters reports. 

The breach was reported by UnitedHealth on Feb. 21, however the company did say at the time how many people were affected. 

However, Change processes about half of the medical claims in the United States. An American Hospital Association survey found that 94% of hospitals reported damage to their cash flow as a result of the attack. The attack led to disruptions in claims payments and operational challenges for many healthcare providers, prompting concerns about the broader implications of consolidating healthcare services under large entities like UnitedHealth Group.

Healthcare Data Breaches On the Rise

The number of healthcare data breaches has been steadily rising each year, according to the Department of Health and Human Services Office for Civil Rights. Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR. Those breaches have resulted in the exposure or disclosure of more than 500 million healthcare records.

The largest healthcare data breach since 2009 occurred at Anthem Inc. in 2015, The HIPAA Journal reports. The breach involved the records of 78.8 million individuals. 

However, the journal reports that the ransomware attack on Change Healthcare could break that record, with the breach potentially having resulted in the theft of the protected health information of up to 1 in 3 Americans. 

The lawsuits are suing UnitedHealth for negligence and are seeking damages to compensate providers for their losses and consumers for the cost of credit monitoring and potential identity fraud using their information from the breach.

Case Details

• Lawsuit: In Re: Change Healthcare Inc. Customer Data Security Breach Litigation
• Case Number: 24-md-03108
• Court: U.S. District Court for the District of Minnesota

Plaintiffs' Attorneys

• Gerard Stranch (Stranch, Jennings & Garvey) 
• Joseph Guglielmo (Scott & Scott) 
• Gary Klinger (Milberg Coleman Bryson Phillips Grossman)