Because of a massive data breach, Change Healthcare is facing dozens of lawsuits filed by plaintiffs across multiple districts. The cyberattack in question resulted in the theft of 6 TB of sensitive data, including personal and protected health information (PHI) of millions of individuals throughout the United States. The lawsuits allege that Change Healthcare failed to secure the data, leaving it vulnerable to theft. Given the number of lawsuits and the overlap in legal issues and facts, Change Healthcare requested the U.S. Judicial Panel on Multidistrict Litigation (JPML) to consolidate the lawsuits into one case to streamline the proceedings.
Change Healthcare argued that consolidating the lawsuits would help establish uniform standards for discovery and pretrial motions, avoiding inconsistent rulings and improving efficiency. While the company suggested the Middle District of Tennessee, where it is headquartered, as the ideal location for the consolidated case, the JPML decided that the District of Minnesota was the best venue for pre-trial proceedings. By the time the motion to consolidate was filed, six lawsuits were pending, but by the time the court issued its first pre-trial order on August 14, 2024, the number had grown to 50, and more are expected as breach notifications continue to be sent out.
The first conference for the consolidated lawsuit took place on September 17, 2024, setting the stage for preliminary procedures and the appointment of temporary interim counsel.
Seven months earlier, in early 2024, Change Healthcare was hit by the ALPHV/BlackCat ransomware group, which attacked its network and encrypted files. The disruption was immediate and severe, with healthcare providers across the United States experiencing delays in payment processing and claims submissions and difficulty accessing patient insurance information. Despite efforts by UnitedHealth Group to alleviate the financial strain by advancing more than $9 billion to struggling providers, many healthcare facilities continued to face challenges after the restoration of Change Healthcare’s systems. Some healthcare providers are still waiting for claims payments.
Although cyberattacks can often be remedied relatively quickly, the aftereffects can linger for months. In Change Healthcare’s case, 60% of healthcare providers reported ongoing issues with verifying patients’ insurance coverage, and 86% continued to face disruptions in the claim submission process two months after the attack. This cyberattack, which affected a big part of the U.S. healthcare system, has raised concerns that it may not be an isolated incident and could represent a new normal for healthcare cybersecurity threats. The need for reinforcing HIPAA compliance is also highlighted in this incident.