'A tremendous financial burden': Providers sue Change Healthcare over data breach

Two class action lawsuits were filed on behalf of health care providers Thursday against Change Healthcare for allegedly failing to protect itself from a cyberattack that caused an unprecedented disruption on the health care system.

A Chicago-area mental health provider and her office, as well as a Mississippi-based obstetrician and gynecological office, filed the separate suites against Change Healthcare, UnitedHealth Group, and Optum, seeking to hold them accountable after the cyberattack left providers across the country disconnected from technology services, rendering them unable to verify benefits, send in claims, submit prior authorizations, or be paid for their work with patients, with one provider’s outstanding bill exceeding $100,000.

“A number of health care providers have contacted us,” Thomas A. Zimmerman, Jr., a Chicago-based attorney at the Zimmerman Law Offices told Law.com. “Their primary issue at this point is that they either have to draw down on a line of credit or use the cash they have in the operating accounts.”

Zimmerman, along with Brent S. Snyder and Brian D. Flick of DannLaw, filed one of the suits on behalf of Sara Lemke, a licensed therapist who owns Revival Therapy in Crystal Lake, Illinois.

Lemke brings claims of negligence, breach of implied contract, bailment, unjust enrichment, and violation of Illinois consumer fraud and deceptive business practices law. It was filed in the U.S. District Court for the Middle District of Tennessee because the defendants, which provide clearinghouse services to submit electronic claims to insurance companies, have a principal place of business in Nashville, Tennessee, according to the complaint.

“In the case of the plaintiff, she had to get money out of her retirement account to make payroll, purchase medications for patients and pay operating expenses because they were unable to get claims either pre-authorized, or if they were submitted, they weren’t able to get them paid,” Zimmerman said. ”This is causing a tremendous financial burden on the health care providers.”

Additionally, the attack, which is believed to have been carried out by the cybercriminal group BlackCat/ALPHV, may have exposed countless individuals’ sensitive and personal information, according to the complaints.

The disruption allegedly started Feb. 21 when the defendants “identified a suspected nation-state associated cybersecurity threat actor had gained access to some of the Change Healthcare information technology systems,” later identified as a ransomware attack that knocked out the defendants’ systems for weeks, Lemke’s complaint said. She accuses the defendants of failing to take the proper steps to protect its system and prevent a Blackcat ransomware attack—just two months after the Joint Cybersecurity Advisory published a report, warning that Blackcat targets the health care sector the most, according to Lemke’s complaint.

In a similar complaint, Mississippi-based attorneys with the Barrett Law Group and the Law Offices of Richard R. Barrett, and the firm Cuneo Gilbert & LaDuca in Washington, D.C., filed a class action suit Thursday on behalf of Advanced Obstetrics & Gynecology in the U.S. District Court for the Northern District of Mississippi. The physician’s office brought claims of negligence, breach of confidence, breach of implied contract, breach of implied contract of good faith and fair dealing, breach of fiduciary duty, and unjust enrichment.

Advanced Obstetrics claims the financial processers had a duty of care to secure and safeguard that their claims would be processed on time and for the correct amounts. The provider relies on these payments to run its business.

“For instance, Advanced, over the past two years, has received approximately $39,000 in paid claims every week, meaning what Advanced receives weekly from insurance companies to settle the practice’s bills for service,” the complaint said. ”Advanced is unable to secure this payment due to Change’s system lockout, and thus has been denied approximately $132,700 as of March 14, 2024, a figure that will continue to rise day after day. Had Change adequately secured its systems this large amount would have been timely paid, as Plaintiff had every reason to expect. [sic] has outstanding bills thus far totaling approximately $101,500.”

A message seeking comment from Advanced Obstetrics’ counsel was not immediately returned.

Related: Hospitals, providers still scrambling to get paid after Change Healthcare cyberattack

In a statement, UnitedHealth Group CEO Andrew Witty said the company is working to make progress in mitigating the impact to consumers and health care providers in this “unprecedented cyber attack on the U.S. health care system and the Change Healthcare claims and payment infrastructure.” The company said its privacy office and security information teams are working to understand whether patient information was compromised in the attack.

“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” he said. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”