Change Healthcare Class Action Lawsuit Filed Over Repercussions from Data Breach

An Oklahoma medical provider has filed a class action lawsuit over a recent data breach at Change Healthcare, which suffered a ransomware attack earlier this year after hackers gained access to medical records and other information held by the company.

The complaint (PDF) was filed by Metro Tulsa Foot and Ankle Specialists, P.L.L.C. last month in the U.S. District Court for the Western District of Oklahoma, indicating that the Change Healthcare data breach not only impacted patients whose private information was released, but has also disrupted the operations of healthcare providers that rely on the technology company, which processes payments, billing, prescription and medical records.

Change Healthcare, Inc. is a part of Optum, inc. and UnitedHealth Group Inc., which were also named as defendants in the lawsuit, claiming that medical records for one out of every three American patients needs to pass through Change’s digital systems.

In February 2024, Change Healthcare announced that it had been hit by a ransomware attack by a Russian group known as Blackcat, which blackmailed the company into paying $22 million in bitcoins to be able to re-access its own customer data.

However, the Change Healthcare data breach gave the hackers access to millions of customers’ private medical records, and the company’s response has caused difficulties for medical providers accessing its systems, which has negatively affected those hospitals, clinics and healthcare professionals relying on the company.

Patients impacted are just now starting to receive notice about the release of their medical records and a growing number of Change Healthcare lawsuits have been filed in recent months. However, the Oklahoma medical provider indicates that the victims of the hack extend beyond patients, with repercussions throughout the healthcare system.

“In response to the attack, Change disconnected its affected systems, hamstringing providers and disrupting key operations, such as pharmacy orders, as providers have not been able to communicate pharmacy prescriptions and pharmacies have been unable to verify patient eligibility and coverage,” according to the class action lawsuit brought on behalf of healthcare providers. “However, the repercussions of the data breach extend beyond patients to healthcare providers like the Plaintiff, whose operations rely on Change’s services for claims processing.”

Months after the Change Healthcare data breach, medical providers report they are still having difficulty processing data through the company’s systems, putting them at risk of additional expenses, financial problems and potential closure.

The lawsuit seeks class action status to pursue damages on behalf of all providers affected by the loss of access, blaming Change for failing to detect, prevent, and adequately warn its customers about the data breach.

“Change neglected to implement adequate security measures,” according to the complaint. “The system weakness exploited by Blackcat hackers was easily identifiable and curable. Change’s failure to take the required steps to prevent the attack resulted in significant financial losses and operational disruptions for healthcare providers.”

Recent Data Breaches Have Affected Millions in 2024

Data breach events can include a variety of security failures in which hackers gain access to sensitive information held by companies, ranging from customer login credentials, contact information and credit card data, to more sensitive details like social security numbers or bank account data. Often this compromised information is then sold for nefarious purposes on the Dark Web.

These events can lead to devastating consequences for those affected, exposing individuals to an increased risk of identity theft and financial fraud, as well as fear, stress, anxiety and other consequential damages resulting from the need to freeze their credit, employ identity monitoring services, and take other drastic measures to protect their financial security.

According to a recent report by the Identify Theft Resource Center, there was a 490% increase in individual data breach victims between January and June of this year, when compared with the same timeframe in 2023.

Most of those impacted this year were part of a massive Ticketmaster data breach, which is believed to have exposed 560 million customers to an increased risk of identity theft and financial fraud when hackers were able to gain access to a cloud-based storage system operated by Snowflake.

Following the spike in cybersecurity victims this year, a growing number of Ticketmaster data breach lawsuits and other legal actions are now being pursued against companies responsible for allowing hackers to access customers’ personal identifying information.