Class Action Lawsuit Filed Against Change Healthcare for Data Breach That Resulted in $22M Ransom Payment in Bitcoin

On Wednesday, March 6, 2024, Wesley Aliko and other privacy advocates filed a class action lawsuit against healthcare provider Change Healthcare, Inc. in the United States District Court for the Middle District of Tennessee.

The lawsuit alleges Change Healthcare experienced a data breach earlier this year which resulted in the exposure of private medical and financial information of hundreds, possibly thousands, of patients. According to court documents, cybercriminals infiltrated Change Healthcare’s systems and exfiltrated sensitive patient files containing personally identifiable information such as names, addresses, birthdates, medical records, and insurance information.

What’s more concerning is that Change Healthcare allegedly paid the ransom demand of the hacker group, known as ALPHV/Blackcat, to the tune of approximately 22 million US dollars worth of bitcoin. This follows a trend seen in many ransomware attacks where companies opt to pay cybercriminals to regain access to their locked down systems. However, privacy experts argue this only incentivizes further attacks as hackers know they can successfully extort large sums from their victims.

The class action alleges Change Healthcare did not have adequate security systems and protocols in place to protect the valuable personal data of patients that were entrusted to their care. Basic encryption of files and multi-factor authentication could have prevented the illegitimate access of sensitive medical records. The plaintiffs are seeking damages for negligence as well as requesting the company implement improved security practices and provide credit monitoring services for those impacted.

Please contact BlockTribune for access to a copy of this filing.