Class action lawsuits pile up over UnitedHealth data breach

By Thomson Reuters Mar 13, 2024 | 2:08 PM

By Brendan Pierson

(Reuters) – UnitedHealth Group has already been hit with at least six class action lawsuits accusing it of failing to protect millions of people’s personal data from last month’s hack of Change Healthcare, its payment processing unit, with more lawsuits likely to come.

In a motion filed late on Tuesday in Washington, D.C., plaintiffs’ lawyers asked a federal judicial panel to consolidate the six cases in federal court in Nashville, Tennessee, where Change is headquartered, and said they expected more cases to be filed.

It is not known how large the litigation could become because it is not clear how much or what kind of information was compromised in the attack, which was carried out by the ransomware hacker group BlackCat.

UnitedHealth, which disclosed the attack on Feb. 21 without specifying how many people were affected, said in a statement Wednesday that it was focused restoring Change’s operations.

UnitedHealth hasn’t said if BlackCat demanded ransom, but a post on an online forum used by hackers claimed the company paid $22 million to the hackers for regaining access to its locked systems.

Under the Health Insurance Portability and Accountability Act (HIPAA), a U.S. health privacy law, companies have 60 days after discovering a data breach to notify affected individuals that their personal information has been compromised.

For breaches affecting more than 500 people, the company must notify federal regulators and prominent media. UnitedHealth has so far not given such a notice.

Change processes about 50% of the medical claims in the United States for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.

The attack has halted Change’s operations, leaving providers, including major hospital systems, small medical practices and pharmacies unable to collect payments. According to UnitedHealth’s website, Change is expected to resume processing payments by March 15.

All of the lawsuits claim that Change failed to safeguard patients’ personal information, putting them at risk of identity theft and privacy violations. Some also allege that patients have been unable to fill prescriptions because their insurance claims cannot be processed, putting their health at risk.

Plaintiffs say that information stored by Change, and now potentially at risk, includes medical records, payment information, names and Social Security numbers. One of the lawsuits says that “information from the data breach is on the dark web and already being offered for sale,” though it does not provide any details supporting that claim.

The lawsuits accuse the company of negligence and of violating the privacy requirements in HIPAA and various state laws.

Four of the lawsuits are filed against Change in Nashville, and two are filed against UnitedHealth in the parent company’s home state of Minnesota.

Tuesday’s motion was filed by the lawyers in the Nashville cases. Lawyers in the Minnesota cases could file a competing motion to have the cases moved to their court, in which case the U.S. Judicial Panel on Multidistrict Litigation would decide where to send them.

(Reporting By Brendan Pierson in New York, Editing by Alexia Garamfalvi and Aurora Ellis)