Healthcare Providers Sue UnitedHealth Group Over Change Healthcare Ransomware Attack

Posted by Steve Alder

Lawsuits have started to be filed against UnitedHealth Group, Optum Inc., and Change Healthcare by healthcare providers that have been unable to access Change Healthcare’s services due to the shutdown of its computer networks after a Blackcat ransomware attack. Without access to those systems, healthcare providers have been unable to get paid for the medical services they have provided while Change Healthcare’s systems have been offline. Many of the affected healthcare providers have limited financial resources to cover payroll and operating expenses, which have been rapidly drained. The severe delays in processing claims and revenue cycle services have pushed many healthcare providers close to bankruptcy.

Last week, a class action lawsuit was filed on behalf of a women’s healthcare practice in Albany, MS, and other healthcare providers that have suffered delays processing claims and revenue cycle services. Like many healthcare providers, Advanced Obstetrics & Gynecology PC has limited liquidity and relies on the prompt payment of claims to keep the business afloat. The lawsuit explained that Advanced has received approximately $39,000 a week in paid claims from insurance companies over the past two years, and since the Change Healthcare cyberattack, Advanced has been unable to secure those payments. According to the lawsuit, between February 21, 2024, when the attack occurred and March 14, 2024, when the lawsuit was filed, Advanced was denied $132,000, and that amount is increasing each day. The lawsuit claims that hundreds if not thousands of healthcare providers are in a similar position and are facing bankruptcy, and that may have already happened with some healthcare providers.

One of the problems with such a large company is that an outage can have massive implications. Change Healthcare processes around half of all medical payments to the fallout from the prolonged outage has been severe. Healthcare providers in Massachusetts alone are estimated to be losing around $24 million per day. Because of the implications of any cyberattack, Change Healthcare needs to have excellent security and contingency plans to keep its services available in the event of a cyberattack, but the lawsuit claims that the security measures were lacking and its breach response hasn’t been good enough. The lawsuit alleges that Change Healthcare failed to implement reasonable and appropriate security measures, policies, and practices to ensure that sensitive data and its systems were protected from attacks. The lawsuit also claims that despite knowing that only certain systems were affected, Change Healthcare took all of its systems offline, resulting in massive disruption to the healthcare providers that rely on those systems, thus guaranteeing that they would experience severe financial difficulties.

Another class action lawsuit was filed on behalf of affected providers by Gibbs Law Group on March 18, 2024, to try to recover providers’ losses. “We are hearing from healthcare providers throughout the country who are distraught and concerned that they may not be able to buy medical supplies, make payroll, or pay rent as a result of this crippling disruption to the nation’s healthcare infrastructure,” said Rosemary Rivas, a lead attorney with Gibbs Law Group. “Change Healthcare has touted itself as a ‘trusted partner’ to providers and payors, but the company’s failure to protect its networks and safeguard critical health information has resulted in widespread harms, and deeply eroded trust.”

Many lawsuits have already been filed against UnitedHealth Group and Change Healthcare on behalf of individuals who had their personal and health data compromised in the attack. The BlackCat ransomware affiliate behind the attack claims to have stolen 6GB of data, including sensitive patient data, although the extent of any data breach has yet to be confirmed by UnitedHealth Group. The HHS’ Office for Civil Rights has also launched an investigation into Change Healthcare to determine if the company was compliant with the HIPAA Rules.

UnitedHealth Group confirmed on March 15, 2024, that Change Healthcare’s electronic payment system had been restored and 99% of its pharmacy network services are up and running, although some Change Healthcare systems remain offline. UnitedHealthcare has also set up a financial assistance program through Optum and has so far advanced more than $2 billion to healthcare providers to help ease the financial strain.

The post Healthcare Providers Sue UnitedHealth Group Over Change Healthcare Ransomware Attack appeared first on HIPAA Journal.

Concentra Health Services Sued Over PJ&A Data Breach

Posted by Steve Alder

Concentra Health Services is facing a class action lawsuit over a data breach at one of its business associates that exposed the data of almost 4 million of its patients.  Concentra used the transcription service provider PJ&A and during the normal course of business, PJ&A had access to patients protected health information (PHI). PJ&A detected suspicious activity within its network on May 2, 2023, and the forensic investigation confirmed that unauthorized individuals had access to its systems between March 27, 2023, and May 2, 2023, and acquired sensitive information. In January 2024, Concentra confirmed that the PHI of 3,998,162 patients was compromised in the attack. In total, the PJ&A data breach is known to have affected more than 14 million individuals.

A lawsuit has recently been filed against Concentra Health Services Inc., its parent company Select Medical Holdings Inc., and Perry Johnson & Associates Inc., by plaintiff Stephen Tate, whose sensitive information was compromised in the attack.  According to the lawsuit, the hackers behind the attack gained access to a system where the data of Concentra patients was stored between April 7 and April 19, 2023. The compromised information included names, dates of birth, addresses, Social Security numbers, insurance and clinical information, medical record numbers, hospital account numbers, admission diagnoses, and dates and times of service.

According to the lawsuit, the defendants must comply with the Health Insurance Portability and Accountability Act (HIPAA) which requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI), but the defendants willfully, recklessly, or negligently maintained patient data, which was neither properly secured nor encrypted, even though there had been a substantial increase in cyberattacks prior to the PJ&A data breach and numerous warnings had been issued by federal agencies about the high risk of cyberattacks on healthcare organizations and their business associates.

Further, prompt notifications were not issued to the affected individuals, who did not find out that they had been affected until several months after the breach occurred. The delay in notification allowed cybercriminals to monetize, misuse, or disseminate the stolen data before the victims could take steps to protect themselves. The plaintiff alleges that it took PJ&A until November 2023 to notify Concentra about the breach, and Concentra didn’t issue individual notifications until February 2024, more than 6 months after the data breach occurred.

The plaintiff claims to have spent considerable time mitigating the impact of the data breach and will be forced to continue to spend time monitoring his accounts and taking other steps to protect himself against identity theft and fraud.  The lawsuit makes four claims for relief: negligence, breach of implied contract, unjust enrichment, and breach of confidence. The lawsuit seeks class action certification, a jury trial, monetary relief – including actual damages, statutory damages, equitable relief, restitution, disgorgement, and statutory costs – and injunctive relief, as well as the cost of a lifetime of credit monitoring and identity theft protection services.

The plaintiff and class are represented by Tiffany Marko Yiatras and Francis J. Casey of Consumer Protection Legal, LLC.

The post Concentra Health Services Sued Over PJ&A Data Breach appeared first on HIPAA Journal.