Class Action Filed Over Change Health Breach Where Stolen Patient Data Held for Bitcoin Ransom

News | July 3, 2024 By:

On Wednesday, June 19, 2024, a class action complaint was filed in federal district court against Change Healthcare Inc, Optum Inc, and UnitedHealth Group Incorporated (UHG), alleging they failed to properly safeguard patient medical data and protect healthcare providers from financial losses after Change experienced a major data breach and ransomware attack in February 2024.

The complaint, brought by 43 healthcare providers from across the United States on behalf of potentially millions of medical practices and patients affected, claims the cyberattack was preventable with basic cybersecurity measures. Change Healthcare operates a large electronic health information network helping healthcare providers submit insurance claims and interact with payers.

According to the complaint, hackers gained initial access on February 12th by using compromised login credentials to remotely access Change’s systems without multi-factor authentication protection. For over a week, they allegedly explored files and installed ransomware without detection.

On February 21st, the ransomware was triggered, encrypting systems and locking out access. A ransom was demanded in Bitcoin from UHG, which ultimately paid $22 million. But in late March, UHG CEO Andrew Witty testified to Congress that backup systems compromised in the attack caused major delays in restoring services.

The weeks-long outage had disastrous impacts, according to the complaint. Over $14 billion in unpaid medical claims were reported, severely impairing provider cash flow and operations. The American Hospital Association described it as a “staggering loss of revenue.”

The complaint alleges the cyberattack was foreseeable given prior warnings, and could have been prevented by implementing security measures like multi-factor authentication as recommended by authorities. It accuses the defendants of negligence for inadequate protections, failure to have an adequate incident response, and not communicating restoration timelines clearly.

The class action seeks damages for losses as well as injunctive relief requiring improvements to Change’s security systems and incident response plans. This cyberattack on critical healthcare infrastructure has significantly disrupted medical services nationwide and legal action may help determine accountability as the industry works to prevent future disruptive data breaches.

Please contact BlockTribune for access to a copy of this filing.