UnitedHealth sued by providers, pharmacy group over massive Change data breach

The National Community Pharmacists Association (NCPA), along with 39 medical providers from multiple states, filed a class action lawsuit on Friday against UnitedHealth Group and its subsidiaries Change Healthcare and Optum for losses resulting from the massive cyber-attack earlier this year. UnitedHealth Group has already been hit with at least six other class action lawsuits as a result of this data breach.

The NCPA, which represents over 19,400 pharmacies that employ more than 230,000 employees, and providers allege they are still waiting for delayed payments as a result of the massive ransomware attack that shut down Change Healthcare for months. This shutdown allegedly affected their ability to make payroll and purchase medical supplies.

Optum is United Healthcare’s pharmacy benefits manager, one of the three largest in the world, and Change Healthcare handles medical billing for a huge portion of the health care industry.

In February, Change Healthcare was hit with a ransomware attack that brought payment and claims processing across the country to a halt. NCPA and the providers say Change failed to take reasonable precautions against a catastrophic breach; mislead them about its network security; and caused massive financial losses for health care providers who were never reimbursed for services, and who incurred huge expenses trying to work around the downed system.

“UnitedHealth Group and its subsidiaries need to be held accountable for their lax security measures and for their failure to provide our members with adequate support and assurances to alleviate the financial losses our members suffered,” said NCPA CEO B. Douglas Hoey. “NCPA was against UnitedHealth’s acquisition of Change from the start. This breach proves that bigger is not better and that consolidation often leads to inefficiencies. Companies are so big they cannot protect every entry point and cannot respond quickly due to internal bureaucracy …This breach has cost our members a significant amount of money and time and it is still not resolved months later.”

Not only did Change, Optum, and UnitedHealth fail to adequately protect data for millions of patients, but when they discovered the breach, they shut the entire system down without providing a workable alternative, leaving thousands of pharmacies without any way to process claims, according to NCPA.

Because of the disconnection of the Change Platform, “many health care providers lost their primary (and in some cases their only) source of claims processing for their patients and did not receive payment. Health care providers had to absorb these upfront costs,” said the complaint.  Many pharmacies had to take out loans or deplete their reserves to buy expensive new software.

The Department of Health & Human Services opened an investigation into UnitedHealth Group in March, following the “unprecedented magnitude” of the cyberattack, according to HHS. “The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health-care industry,” HHS said in a letter announcing the probe.

Related: UnitedHealth’s Change Healthcare unit begins sending breach notices

“Community pharmacies incurred the losses because they wouldn’t let their patients suffer,” said Hoey. “Senior citizens and people with chronic illnesses … can’t afford to pay out of pocket for drugs that can cost thousands of dollars because a medical billing firm left itself vulnerable. It wouldn’t have been fair to patients, and it isn’t fair to leave pharmacies holding the bag.”