UPDATE: June 11, 2024: Nearly 50 lawsuits brought against Change Healthcare after a massive cyberattack earlier this year will be consolidated in Minnesota, where parent company UnitedHealth is based, a federal judicial panel ruled Friday.
Change had lobbied to centralize the cases in its home state in Tennessee. The suits include 19 complaints from consumers who allege their personal information and protected health data was compromised, while 30 come from providers who say they struggled to submit claims and receive payments after the attack shut down Change systems.
All cases will focus on how Change’s system was breached, security measures it had in place, and how the technology firm acted to notify those impacted and restore its systems for providers, according to a court filing.
Dive Brief:
- Change Healthcare wants to consolidate 24 class-action lawsuits it faces in the wake of a cyberattack that’s caused disruptions across the industry, according to a Wednesday court filing.
- The UnitedHealth Group subsidiary asked a judicial panel to combine the suits and centralize them in the federal U.S. District Court for the Middle District of Tennessee — where Change is headquartered — arguing the cases share factual and legal claims and are in early stages of litigation.
- Consolidating would preserve court resources and avoid duplicative work and inconsistent rulings, Change said in the filing.
Dive Insight:
Lawsuits are piling up against Change as the technology company works to bring all of its systems back online following a cyberattack in late February.
Two dozen class-action lawsuits related to the cyberattack have been filed as of April 2, according to the court filing. Thirteen were filed by consumers citing concerns about data theft, while 11 came from providers who said they struggled to receive payments while Change’s systems have been offline.
The technology firm pushed back against the suits, arguing the cases are based on the “incorrect and unfounded theory” that Change’s security wasn’t adequate, and plaintiffs must have been harmed by the attack.
Lawsuits could proceed in at least seven districts across the country if the cases aren’t centralized.
Change suggested the Middle District of Tennessee for a consolidated case, arguing the technology company, which was acquired by healthcare conglomerate UnitedHealth in 2022, was at the center of all the lawsuits, even those that named other entities like UnitedHealth or health services arm Optum.
Most of the suits filed so far have already been filed in Tennessee, and the judge who would likely be assigned is “well-equipped” to handle the case, the filing said.
Data breach class actions “exploded” in 2023, according to a February report from law firm Duane Morris, as the healthcare industry faces increased breach threats. The HHS’ Office for Civil Rights tracked a 256% increase in large breaches over the past five years.
A major data breach last year at a medical transcription services vendor, Perry Johnson & Associates, led to a number of lawsuits against the company and affected health systems. The lawsuits were recently consolidated in the Eastern District of New York.
UnitedHealth did not respond to a request for comment.