The National Community Pharmacists Association (NCPA) and about 3 dozen healthcare companies in 22 U.S. states filed a lawsuit against Optum, Change Healthcare, and UnitedHealth Group related to its ransomware attack and data security breach in February 2024.
The Blackcat ransomware attack was identified on February 21, 2024 with the encryption of some of Change Healthcare’s systems. To control the attack and stop even more unauthorized access, Change Healthcare’s systems were taken offline, including its platform for claims processing, managing income, and payment cycle that links payers, patients, and healthcare providers. Providers across the country use the platform and other Change Healthcare systems and so those systems are connected to the protected health information (PHI) of 1 in 3 people in America. The platform continued offline for a few weeks, and Change Healthcare still hasn’t completely recovered from the ransomware attack.
This failure immobilized the healthcare sector and the attack had massive aftereffects. John Riggi, the American Hospital Association (AHA) national advisor for cybersecurity and risk stated that this cyberattack has somehow impacted all hospitals in the country. Companies have had trouble confirming patient eligibility, submitting claims, and charging patients, resulting in the inability of many to pay for important supplies, rent/mortgages, and worker payroll because of the incapability to obtain refunds from insurance companies. The problems went on for about four months with little financial assistance and many companies were nearly forced to close.
Because of the uncertainty about the ongoing breakdowns, numerous healthcare companies were pushed to suffer extra expenses going to other software firms to assist them with claims processing and income and payment administration.
The defendants weren’t giving enough guidance to healthcare companies, and information was released months after the data breach. To comply with HIPAA, it is the job of every impacted covered entity to make sure that the breach report is submitted to government bodies and personal notifications are sent. During the time the lawsuit was submitted, not enough data was available to let them do that.
The lawsuit blames the defendants for the cyberattack and data breach because of their negligence. Change Healthcare’s services are important to the whole healthcare sector. The defendants are purported to have not implemented appropriate security measures and strategies, did not make known material information about the lack of security practices, and caused big trouble by taking systems off the internet for a few months.
Because of the actions of the Defendants, the Plaintiffs and Class members failed to acquire the benefit of their plea with the Defendants and aren’t getting the services they’ve purchased. Also, Plaintiffs and Class members haven’t gotten payments from their healthcare providers or have received delayed payments stripping them of the importance of cash and missed interest and have sustained added expenses from changing to a different healthcare payment program. The Defendants are without enough redundancies, these effects keep on harming the Plaintiffs and Class members.
The 140-page lawsuit names 40 healthcare companies and the National Community Pharmacists Association as plaintiffs and consists of a countrywide class of likewise situated healthcare companies. The lawsuit claims breach of express contract, negligence, negligence per se, breach of implied contract, negligent interference with potential economic advantage, unjust enrichment, and violations of the Connecticut Unfair Trade Practices Act, California’s Unfair Competition Law, the Illinois Consumer Fraud and Deceptive Trade Practices Act, the New Jersey Consumer Fraud Act, New Hampshire’s Regulation of Business Practices for Consumer Protection, the Washington Consumer Protection Act, and the Tennessee Consumer Protection Act.
The lawsuit wants permanent injunctive relief to stop and avert the defendants from carrying on with engaging in illegal acts, omissions, and practices, a court order for the defendants to put into action a long list of security procedures, and awards of compensatory, general, statutory, consequential, and punitive/exemplary damages.
NCPA CEO B. Douglas Hoey said that UnitedHealth Group and its subsidiaries must be made responsible for their slack security procedures and for their inability to offer their members sufficient help and assurances to ease the financial losses they suffered.