UnitedHealth Group is facing multiple class action lawsuits related to the UnitedHealth Data Breach at its payment processing unit, Change Healthcare. Multiple class action lawsuits have followed since the Change Healthcare Cyberattack.
The company has been accused of failing to protect the personal data of millions of individuals. The plaintiffs’ lawyers have filed a motion requesting the consolidation of the six existing cases in federal court in Nashville, Tennessee, where Change is located.
They also anticipate additional lawsuits to be filed in the future. Given the uncertainty surrounding the extent of the compromised information, it is difficult to predict the full scope of the litigation. The cyberattack on Change Healthcare was carried out by the BlackCat ransomware group.
The UnitedHealth Data Breach, What Happened?
On February 21, UnitedHealth Group revealed the attack that occurred, without providing details about the number of individuals impacted. In a statement, the company expressed its primary focus on restoring the operations of Change Healthcare.
While UnitedHealth has not disclosed whether a ransom was demanded by BlackCat, a post on a hacker forum suggested that the company paid $22 million to regain access to its locked systems. This is the second largest ransom payment ever made.
According to the Health Insurance Portability and Accountability Act (HIPAA), which is a U.S. health privacy law, companies have a 60-day window to inform individuals if their personal information has been compromised in a data breach.
In cases where the breach affects more than 500 individuals, the company is required to notify federal regulators and the media. As of now, the company has not provided such notifications regarding the UnitedHealth Data Breach.
Change Healthcare is responsible for processing approximately 50% of the medical claims in the United States on behalf of various healthcare providers. This includes around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories.
However, due to the recent Change Healthcare Cyberattack, its operations have been disrupted, causing difficulties for healthcare providers to receive their payments.
This includes major hospital systems, small medical practices, and pharmacies. UnitedHealth has stated on its website that Change Healthcare is anticipated to resume processing payments by March 15.
Multiple Class Action Lawsuits Against UnitedHealth
The lawsuits against Change Healthcare assert that the company failed to adequately protect patients’ personal information, thereby exposing them to the risks of identity theft and privacy violations.
Furthermore, some lawsuits highlight the impact on patients’ health, as they have been unable to fill prescriptions due to the inability to process insurance claims.
Plaintiffs claim that the compromised information includes medical records, payment details, names, and Social Security numbers. One lawsuit even suggests that information from the breach is available on the dark web for sale, though no specific evidence is provided to support this claim.
The lawsuits against Change Healthcare allege negligence and violations of privacy requirements under HIPAA and state laws.
Four of the lawsuits have been filed against Change in Nashville, while two have been filed against UnitedHealth in Minnesota, the parent company’s home state.
The motion filed on Tuesday was submitted by the lawyers representing the Nashville cases. Lawyers representing the Minnesota cases may potentially file a competing motion to transfer the cases to their jurisdiction.
In such a scenario, the U.S. Judicial Panel on Multidistrict Litigation will determine the appropriate venue for the consolidated lawsuits.