Pharmacy Group, Providers Sue Change Healthcare After Cyberattack

An article from

Dive Brief:

• A group of pharmacists and dozens of providers are suing UnitedHealth Group and its subsidiaries, arguing they still face financial disruption from the cyberattack on Change Healthcare earlier this year.
• The National Community Pharmacists Association, which represents more than 19,000 pharmacies, and more than nearly 40 providers allege Change failed to implement reasonable cybersecurity measures and caused financial losses for providers who struggled to receive payments during the outage at the major claims processor. 
• Dozens of lawsuits have already been filed related to the massive cyberattack. Last month, a federal judicial panel ordered the cases to be centralized in Minnesota, where Change owner UnitedHealth is headquartered. 

Dive Insight:

The cyberattack on Change in late February caused upheaval across the nation’s healthcare system, delaying payments to providers, prescription fulfillment, prior authorization requests and eligibility checks.

The latest suit against Change, health services segment Optum and parent company UnitedHealth seeks class-action status and argues the disruptions from the cyberattack are ongoing.

Many providers are still struggling to verify patients’ health insurance coverage, file claims and send bills — a particular concern for small and medium-sized practices, according to the litigation. 

They also needed to switch to other claims processors and healthcare software firms during the outage, adding additional costs, they said. 

“This breach has cost our members a significant amount of money and time and it is still not resolved months later,” NCPA CEO B. Douglas Hoey said in a Monday statement. 

The plaintiffs argued reliance on Change, which was acquired by UnitedHealth in 2022, created a “single point of failure” in the U.S. health system. They also said the technology firm and large claims processor hadn’t implemented reasonable cyber protections.

During Congressional hearings in May, UnitedHealth CEO Andrew Witty said the portal that hackers used to attack Change didn’t have multifactor authentication, which requires a second method to verify a user’s identity beyond a password.

The attack also could have exposed sensitive data from a huge swath of Americans. In testimony in front of Congress, Witty estimated information from a third of individuals in the U.S. could be compromised. 

The providers and pharmacists argue Change hasn’t provided “adequate guidance” about the potential data breach, leaving them in the dark about whether they’ll need to notify their patients that their personal and health data could be compromised.

Change said last month it began sending out letters to its customers, and it will begin contacting affected individuals themselves in late July. 

UnitedHealth didn’t respond to a request for comment by press time.