Pharmacy group sues UHG over Change Healthcare data breach

The National Community Pharmacists Association (NCPA), along with more than three dozen providers, filed a class action lawsuit against UnitedHealth Group over losses stemming from the February 2024 Change Healthcare data breach and cyberattack.

As previously reported, Change Healthcare fell victim to a ransomware attack in late February at the hands of Alphv/BlackCat. The cyberattack resulted in a data breach that affected approximately one-third of Americans and caused financial hardships for healthcare organizations nationwide. UnitedHealth Group advanced billions of dollars to providers, but organizations were still reporting widespread revenue losses from unpaid claims and operational disruptions months after the cyberattack.

The plaintiffs in the class action, filed on July 19, 2024, in the United States District Court for the District of Minnesota, alleged that UnitedHealth Group and its subsidiaries, Change Healthcare and Optum, failed to take reasonable precautions to prevent the breach.

Additionally, the plaintiffs suggested that Change Healthcare misled customers about its network security posture and failed to provide a reasonable workaround when it shut down the Change Healthcare (Change) platform amid the disruption.

"Reliance on Defendants' Change Platform has created a single point of failure in the U.S. health system. Without Defendants' Change Platform, the healthcare industry is immobilized. Patients were stuck in prescription purgatory without access to their vital medications," the lawsuit stated.

The fact issues remain unresolved is a testament to this point. This breach has cost our members a significant amount of money and time and it is still not resolved months later.

"This is especially disruptive to elderly patients who have a fixed income and cannot afford medications without insurance, as well as individuals with chronic illnesses who face life-threatening symptoms without their medication. Defendants' network outage of the Change Platform jeopardized the health of millions of Americans."

The plaintiffs took issue with UnitedHealth Group's communication to providers about the cyberattack as well, citing confusion about breach notification responsibilities. HHS and UnitedHealth Group have since clarified that breach notifications may be handled by UnitedHealth Group, but the plaintiffs alleged that providers remain in a state of uncertainty as the breach notification process unfolds.

"UnitedHealth Group and its subsidiaries need to be held accountable for their lax security measures and for their failure to provide our members with adequate support and assurances to alleviate the financial losses our members suffered," NCPA CEO B. Douglas Hoey said in a press release.

"NCPA was against UnitedHealth's acquisition of Change from the start. This breach proves that bigger is not better and that consolidation often leads to inefficiencies."

In addition to facing scrutiny over the cyberattack, the Department of Justice began investigating antitrust allegations against the company in early 2024, specifically focusing on the ties between UnitedHealth Group and Optum.

To Hoey, the cyberattack is further evidence of the downsides of consolidation in healthcare.

"Companies are so big they cannot protect every entry point and cannot respond quickly due to internal bureaucracy," Hoey added. "The fact issues remain unresolved is a testament to this point. This breach has cost our members a significant amount of money and time and it is still not resolved months later."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.