Lawsuits have started to be filed against UnitedHealth Group, Optum Inc., and Change Healthcare by healthcare providers that have been unable to access Change Healthcare’s services due to the shutdown of its computer networks after a Blackcat ransomware attack. Without access to those systems, healthcare providers have been unable to get paid for the medical services they have provided while Change Healthcare’s systems have been offline. Many of the affected healthcare providers have limited financial resources to cover payroll and operating expenses, which have been rapidly drained. The severe delays in processing claims and revenue cycle services have pushed many healthcare providers close to bankruptcy.

Last week, a class action lawsuit was filed on behalf of a women’s healthcare practice in Albany, MS, and other healthcare providers that have suffered delays processing claims and revenue cycle services. Like many healthcare providers, Advanced Obstetrics & Gynecology PC has limited liquidity and relies on the prompt payment of claims to keep the business afloat. The lawsuit explained that Advanced has received approximately $39,000 a week in paid claims from insurance companies over the past two years, and since the Change Healthcare cyberattack, Advanced has been unable to secure those payments. According to the lawsuit, between February 21, 2024, when the attack occurred and March 14, 2024, when the lawsuit was filed, Advanced was denied $132,000, and that amount is increasing each day. The lawsuit claims that hundreds if not thousands of healthcare providers are in a similar position and are facing bankruptcy, and that may have already happened with some healthcare providers.

One of the problems with such a large company is that an outage can have massive implications. Change Healthcare processes around half of all medical payments to the fallout from the prolonged outage has been severe. Healthcare providers in Massachusetts alone are estimated to be losing around $24 million per day. Because of the implications of any cyberattack, Change Healthcare needs to have excellent security and contingency plans to keep its services available in the event of a cyberattack, but the lawsuit claims that the security measures were lacking and its breach response hasn’t been good enough. The lawsuit alleges that Change Healthcare failed to implement reasonable and appropriate security measures, policies, and practices to ensure that sensitive data and its systems were protected from attacks. The lawsuit also claims that despite knowing that only certain systems were affected, Change Healthcare took all of its systems offline, resulting in massive disruption to the healthcare providers that rely on those systems, thus guaranteeing that they would experience severe financial difficulties.

Another class action lawsuit was filed on behalf of affected providers by Gibbs Law Group on March 18, 2024, to try to recover providers’ losses. “We are hearing from healthcare providers throughout the country who are distraught and concerned that they may not be able to buy medical supplies, make payroll, or pay rent as a result of this crippling disruption to the nation’s healthcare infrastructure,” said Rosemary Rivas, a lead attorney with Gibbs Law Group. “Change Healthcare has touted itself as a ‘trusted partner’ to providers and payors, but the company’s failure to protect its networks and safeguard critical health information has resulted in widespread harms, and deeply eroded trust.”

Many lawsuits have already been filed against UnitedHealth Group and Change Healthcare on behalf of individuals who had their personal and health data compromised in the attack. The BlackCat ransomware affiliate behind the attack claims to have stolen 6GB of data, including sensitive patient data, although the extent of any data breach has yet to be confirmed by UnitedHealth Group. The HHS’ Office for Civil Rights has also launched an investigation into Change Healthcare to determine if the company was compliant with the HIPAA Rules.

UnitedHealth Group confirmed on March 15, 2024, that Change Healthcare’s electronic payment system had been restored and 99% of its pharmacy network services are up and running, although some Change Healthcare systems remain offline. UnitedHealthcare has also set up a financial assistance program through Optum and has so far advanced more than $2 billion to healthcare providers to help ease the financial strain.

The post Healthcare Providers Sue UnitedHealth Group Over Change Healthcare Ransomware Attack appeared first on HIPAA Journal.