Pharmacy Association and Providers Sue UnitedHealth to Recover Losses from Ransomware Attack

The National Community Pharmacists Association (NCPA) and around 40 healthcare providers are taking legal action against Change Healthcare, UnitedHealth Group, and Optum to recover losses sustained over the February ransomware attack on Change Healthcare.

In response to the ransomware attack, Change Healthcare shut down systems that were relied upon by healthcare providers, health plans, and other entities across the country. Those systems remained offline for weeks, preventing healthcare providers from checking eligibility, which left patients unable to get their medications paid for by insurers. Patients who lacked the finances to cover the cost of their medications had to go without, which was especially disruptive for elderly patients and individuals with chronic conditions.

The billing problems forced healthcare providers to use all spare capital to cover essential expenses such as rent and mortgage payments, staff costs, and medical supplies, with many taken to the brink of closure due to the financial difficulties caused by the attack. The attack also involved data theft, and while the number of individuals affected has not yet been confirmed, UnitedHealth Group has confirmed the breach was substantial and may affect up to 1 in 3 Americans.

The lawsuit was filed on July 19, 2024, in the U.S. District Court for the District of Minnesota and alleged that UnitedHealth Group and its subsidiaries failed to implement reasonable and appropriate safeguards, and if those safeguards had been implemented, the attack and data breach could have been prevented. Further, the lawsuit alleges there was inadequate planning for a cyberattack, and a reasonable workaround was not provided when the Change Healthcare platform was shut down, which left the healthcare industry immobilized.

The lawsuit also took issue with how the incident was communicated to the affected providers, many of whom were confused about the notification requirements. While UnitedHealth Group said it would help with the notification requirements under HIPAA, it was not explicitly stated that Change Healthcare or UnitedHealth Group would be handling all notification requirements.ย UnitedHealth Group has provided financial support through a temporary funding assistance program however, the lawsuit claims that UnitedHealth Group and its subsidiaries failed to provide adequate support and assurances to alleviate the financial losses that the pharmacy groupโ€™s members have suffered.

The lawsuit also criticized UnitedHealth Group for the Change Healthcare takeover. “NCPA was against UnitedHealth’s acquisition of Change from the start. This breach proves that bigger is not better and that consolidation often leads to inefficiencies,” said NCPA CEO, B. Douglas Hoey. โ€œCompanies are so big they cannot protect every entry point and cannot respond quickly due to internal bureaucracy,” added Hoey. “The fact issues remain unresolved is a testament to this point. This breach has cost our members a significant amount of money and time and it is still not resolved months later.”

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

The lawsuit seeks awards of compensatory damages, consequential damages, general damages, statutory damages, and punitive/exemplary damages, as well as permanent injunctive relief prohibiting UnitedHealth Group and its subsidiaries from engaging in unlawful behaviors and an order from the court to compel the defendants to implement a raft of security measures to make sure that similar attacks are prevented in the future.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/