Change Healthcare hit with 6 lawsuits (so far), following cyberattack
The class action lawsuits allege Change Healthcare, one of the nation’s largest health care technology firms, didn’t have reasonable cybersecurity measures in place, when it was struck by a cyberattack on Feb. 21.
The repercussions from the cyberattack on Change Healthcare have quickly spread from providers and patients to the federal government to the courtroom.
At least six lawsuits seeking class-action status have been filed this month — four in a Tennessee district court where Change is based and two in Minnesota, home of parent company UnitedHealth Group. The suits filed in Tennessee name Change as the defendant, while those in Minnesota name UnitedHealth, insurer UnitedHealthcare, health services segment Optum and Change Healthcare. Plaintiffs allege that Change didn’t have reasonable cybersecurity measures in place to prevent a data breach, allowing cybercriminals to potentially expose sensitive health and other personal information.
Although UnitedHealth Group said it’s making progress on workarounds and fixes that are helping restore the payment system, hospital and physician groups said many providers still are having major problems with everything from scheduling patients to estimating costs, and have strengthened calls for relief from the financial fallout.
Some patients have reported challenges receiving their prescriptions. In one lawsuit filed Tuesday in Minnesota, the plaintiff was unable to use his health insurance to fill two prescriptions and had to pay full price to receive his medications. Another suit filed in Minnesota alleged a patient faced challenges in quickly accessing his prescription after the Change outage, potentially risking health impacts. They all argue the tech firm didn’t have adequate protections in place to safeguard sensitive health information.
Gibbs Law Group, which has offices in Oakland, Calif., and Columbus, Ohio, is soliciting patients who were forced to pay out of pocket for prescriptions or delay their refills. Its website says it is seeking “money back for patients who were unexpectedly forced to pay for expensive medications due to this cyberattack.”
“This is something that shouldn’t have happened, especially with a company that’s so big and so profitable,” partner Rosemary Rivas said. “They should really be spending the requisite money to ensure they have reasonable security.”
The lawsuits come as cyberattacks against the healthcare sector become more common, and so have lawsuits related to data breaches. A Bloomberg Law analysis published last summer found the monthly average of new class actions filed over health data breaches was nearly double the rate from the previous year.
Related: Hospitals, providers still scrambling to get paid after Change Healthcare cyberattack
Ryan Higgins, a partner at McDermott Will & Emery in Chicago, told Axios that t’s not unusual for firms to solicit prospective plaintiffs in data breaches, but details about what was compromised and just how many are affected are still likely weeks away. “This story is far from over,” he said.