The National Community Pharmacists Association (NCPA) and dozens of providers have filed a class action lawsuit against UnitedHealth Group (UHG) for losses from the Change Healthcare cyberattack that happened earlier this year. The plaintiffs argued that Change Healthcare, which was acquired by UHG in 2022, didn’t take adequate precautions against the attack and caused major financial losses for providers.
“UnitedHealth Group and its subsidiaries need to be held accountable for their lax security measures and for their failure to provide our members with adequate support and assurances to alleviate the financial losses our members suffered. … This breach proves that bigger is not better and that consolidation often leads to inefficiencies,” said NCPA CEO B. Douglas Hoey in a statement. “Companies are so big they cannot protect every entry point and cannot respond quickly due to internal bureaucracy. The fact [that] issues remain unresolved is a testament to this point. This breach has cost our members a significant amount of money and time and it is still not resolved months later.”
This comes after numerous other lawsuits have already been filed for the Change Healthcare attack.
Change Healthcare helps pharmacies and providers process claims. It processes 15 billion transactions annually, according to the complaint. In February, it was announced that ransomware group Blackcat gained access to Change’s servers, leading to network outages that affected millions of patients and providers nationwide. Blackcat obtained sensitive information, including social security numbers, driver’s licenses, health information and claims and payment information.
To stop the attack from getting worse, the defendants took some Change systems offline, including the widely used Change Healthcare Platform, which is a claims processing service.
“Reliance on Defendants’ Change Platform has created a single point of failure in the U.S. health system,” the complaint stated. “Without Defendants’ Change Platform, the healthcare industry is immobilized. Patients were stuck in prescription purgatory without access to their vital medications. This is especially disruptive to elderly patients who have a fixed income and cannot afford medications without insurance, as well as individuals with chronic illnesses who face life-threatening symptoms without their medication. Defendants’ network outage of the Change Platform jeopardized the health of millions of Americans.”
Providers were also severely compromised by the hack, and many are still experiencing challenges in verifying patient eligibility and coverage, filing claims and billing patients. Small and mid-sized practices are especially struggling, according to the complaint.
“For over four months (and counting), these healthcare practices have received little, if any, reimbursement from insurers for patient visits,” the complaint said. “Without complete reimbursement, small and mid-sized practices cannot afford employee payroll, rent/mortgage, and medical supplies.”
UnitedHealth Group also hasn’t given providers “adequate guidance,” the plaintiffs argued. Providers have to notify their patients of personal information that has been affected by the data breach and in certain cases, have to report the breach to the federal government. But UnitedHealth Group hasn’t “provided adequate accounts about the Data Breach that would allow healthcare providers to satisfy their obligations,” the complaint alleged.
Due to these issues, the plaintiffs made several requests for relief, including that the court “prohibit and prevent Defendants from continuing to engage in the unlawful acts, omissions, and practices described herein.” They also asked the court to award them “compensatory, consequential, and general damages, including nominal damages as appropriate, for each count as allowed by law in an amount to be determined at trial.”
UnitedHealth Group did not return a request for comment.
Photo: AndreyPopov, Getty Images