Multiple Class Action Lawsuits Filed in Response to Optum / Change Healthcare Cyber Attack Response Mismanagement
UnitedHealth Group CEO promises fix by middle of March as HHS throws lifeline to 400 billion dollar company | By Steve Alder for HIPPA Journal March 7, 2024
Optum / Change Healthcare experienced a Blackcat ransomware attack on February 21, 2024, and is still recovering from the incident, with many systems still offline more than 2 weeks after the attack.
The Blackcat ransomware group claimed to have stolen 6TB of data before encrypting files and the affiliate behind the attack alleged a $22 million ransom was paid by Optum to have the stolen data and obtain the decryption keys. The affiliate claims the Blackcat group stole the funds and didn’t pay, Blackcat claimed law enforcement shut down its operation, and the affiliate still has 6TB of the stolen data.
Neither Change Healthcare, Optum, of their parent company, UnitedHealth Group, have confirmed the extent of any data breach and whether a ransom was paid, only issuing a statement saying they are currently focused on the investigation and bringing their systems back online.
Given the history of the Blackcat group, it is likely that the stolen data includes a significant amount of patient data, and with Change Healthcare processing around 15 billion healthcare transactions each year – including the PHI of 1 in 3 Americans – the data breach has the potential to be huge. With Change Healthcare yet to confirm a data breach, individual notifications are still several weeks away from being mailed, but lawsuits are already being filed by individuals who claim their protected health information (PHI) was stolen in the attack.
At least 5 class action lawsuits have already been filed in Tennessee and Minnesota over the Change Healthcare data breach and that number is expected to grow considerably over the coming days, weeks, and months. One of those lawsuits was filed in Minnesota federal court on behalf of California resident Nicolas Keriazis and similarly situated individuals whose PHI is alleged to have been accessed, copied, and exfiltrated from UHG-owned servers by the Blackcat ransomware group. The lawsuit names United Health Group Incorporated, UnitedHealthcare Inc., Optum Inc., and Change Healthcare Inc. (UHG) as defendants.
Keriazis fills his prescriptions at a CVS pharmacy in California which uses Change Healthcare systems and claims that the stolen data includes “medical records, dental records, payment information, claims information, patients’ information (such as phone numbers, addresses, Social Security numbers, emails, etc.), insurance records, and more.” The lawsuit claims the data breach was preventable, and was due to UHG implementing inadequate cybersecurity practices and policies that fell short of the industry-standard measures.
Further, UHG should have been aware of the high risk of an attack as a joint cybersecurity advisory was issued by several federal agencies about an imminent and increased threat of cyberattacks on hospitals and healthcare providers advising them to take timely and reasonable precautions to protect their networks from attacks. The lawsuit alleges that UHG violated HIPAA and failed to comply with Federal Trade Commission (FTC) guidance and that its practices constitute an unfair act or practice that is prohibited by Section 5 of the FTC Act.
As a result of the data breach, Keriazis, and class members “did not receive the benefit of their bargain with UHG and now face a significant risk of medical-related theft and fraud, financial fraud, and other identity-related fraud now and into the indefinite future.” The lawsuit alleges negligence, negligence per se, breach of third-party beneficiary contract, and unjust enrichment, and seeks compensatory, consequential and general damages, and statutory damages, trebled, and/or punitive or exemplary damages, to the extent permitted by law. The lawsuit also seeks the court to order disgorgement and restitution of all earnings, profits, compensation, and benefits received by UHG as a result of their unlawful acts, omissions, and practices, and injunctive relief, including an order from the court for UHG to implement a range of cybersecurity measures to prevent further cyberattacks and data breaches.
The other lawsuits include Robert Reese v. Change Healthcare Inc., filed in the U.S. District Court for the Middle District of Tennessee, and Robert Mackey v. United Health Group Incorporated; UnitedHealthcare Inc. United Health Group Incorporated, UnitedHealthcare Inc., Optum Inc., and Change Healthcare Inc. which was filed in the U.S. District Court, District of Minnesota. The lawsuits make similar claims, with the latter also alleging negligent misrepresentation, breach of implied contract, and violation of the Minnesota Consumer Protection Statute on Deceptive Trade Practices.