Change Healthcare Update: Data Breach Lawsuit Claims Patient Info Was Stored Recklessly

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit alleges Change Healthcare was reckless in its handling of the sensitive patient information of thousands of hospitals, insurance companies and pharmacies, causing a seismic—and allegedly preventable—data breach in February 2024. 

Were you impacted by the Change Healthcare data breach? Let us know here.

The 62-page data breach lawsuit says Change Healthcare, a UnitedHealth subsidiary and one the country’s largest payment and revenue cycle service providers, posted to its website last month a notice in which it confirmed it was experiencing a “cybersecurity issue,” apparently linked to the prolific ALPHV/BlackCat hacking group. The suit maintains that Change Healthcare should have been on guard against a data breach given its stature within the healthcare industry and the breadth of patient information in its care. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The complaint charges that the sensitive information stolen by the cybergang was kept unencrypted on Change Healthcare’s network, and that the massive data breach could have been prevented had the company employed cybersecurity measures commensurate with the patient medical data in its care. 

“Had the information been properly encrypted, the data thieves would have exfiltrated only unintelligible data,” the lawsuit asserts. 

The Change Healthcare data breach was so disruptive to the American healthcare system that the United States Department of Health and Human Services (HHS) on March 5 released a statement emphasizing that the agency’s first priority is to help providers mitigate the effects of the cyberattack. In the weeks since the Change Healthcare data breach, thousands of smaller healthcare providers nationwide have reported being unable to submit claims, leaving them struggling to operate as they are unable to get paid, check insurance benefits, check the cost of prescriptions, and pay staff, several media outlets shared. 

According to the lawsuit, Change Healthcare omitted in its public notice about the data breach the root cause of the incident, the particular vulnerabilities the hackers exploited, and the remedial measures the company took to ensure such a cyberattack does not happen again. 

The case goes on to mention that the hackers behind the data breach supposedly demanded a ransom from Change Healthcare. Parent company UnitedHealth allegedly paid the hackers $22 million in cryptocurrency in the wake of the data breach. 

UnitedHealth informed the U.S. Securities and Exchange Commission on March 9 that it was making “substantial progress in mitigating the impact to consumers and care providers” in light of the cyberattack. 

The filing states that proposed class members now face a heightened risk of identity theft as a result of Change Healthcare’s failure to safeguard their information and, going forward, must closely monitor their financial accounts and incur expenses to protect themselves against fraud. 

The lawsuit looks to cover all persons in the United States whose private information was compromised as a result of the data breach reported by Change Healthcare. 

Were you impacted by the Change Healthcare data breach? Let us know here.