Change Healthcare Class Action Lawsuit Filed Over Data Breach That Allowed Hackers To Access Medical Information of 120M Patients

Dozens of individuals have joined together to file a class action lawsuit against Change Healthcare, indicating that a massive data breach last was caused by a lack of adequate cybersecurity measures, exposing the private medical information of themselves and more than 120 million other patients, who now face a risk of identity theft and fraud.

The complaint (PDF) was brought in the U.S. District Court for the District of Minnesota on January 15, seeking class action status to pursue claims for individuals nationwide against UnitedHealth Group Incorporated, Optum, Inc., OptumInsight, Inc., and Change Healthcare Inc., indicating that the data breach could have been avoided with proper security protocols.

The Change Healthcare data breach was first announced almost a year ago, in February 2024, when the company reported that hackers had gained access to the names, Social Security numbers, dates of birth, addresses, medical records, insurance details and other sensitive data for millions of individuals.

While Change Healthcare is not well known among most U.S. consumers, it provides critical software, analytics and services for medical providers throughout the healthcare system. Some estimates suggest that one out of every three Americans has their private health information pass through the company’s servers.

This latest complaint comes amid an influx of Change Healthcare data breach class action lawsuits filed throughout the federal court system, each raising similar allegations that cybersecurity failures allowed hackers to access personal identifying and medical information.

The lawsuit details how a ransomware group known as ALPHV gained access to the Change Healthcare system on February 12, 2024.

“Although many details of the Data Breach have not been publicly released, the nature of the breach illustrates Defendants’ severe security deficiencies,” the class action complaint states. “Had Defendants employed basic, long-established, and recommended security tools, the Data Breach should have been easily thwarted.”

Plaintiffs say ALPHV gained access to the system by using a low-level employee’s password, which was likely compromised through common hacker tactics, such as phishing schemes.

After locking down the system, the hackers forced Change Healthcare to pay them $22 million in bitcoin as ransom. However, by that time the hackers already had the Personal Information of one-third of patients in the U.S., according to the lawsuit.

The lack of security was due to the company putting profits ahead of securing patient information, the lawsuit claims. Plaintiffs say the company failed to put in place “reasonable” security measures to protect their personal information.

The plaintiffs seek class action status for anyone in the U.S. whose personal information was compromised due to the data breach. They present claims of negligence, negligence per se, breach of contract, unjust enrichment, and violations of various state consumer protection laws.

Change Healthcare Data Breach Lawsuits

Given common questions of fact and law raised in the claims, a federal multidistrict litigation (MDL) has been established in the District of Minnesota, where U.S. District Judge Donovan Frank is presiding over coordinated discovery and pretrial proceedings.

Judge Frank has already ordered the parties to begin exploring the possibility of Change Healthcare data breach settlement talks.

As the court begins to explore the potential for a Change Healthcare lawsuit settlement, it is expected that the size and scope of the litigation will continue to expand over the coming weeks and months, as many individuals impacted are still receiving notice about the Change Healthcare data breach, and contacting lawyers to sign up for the litigation.

In addition to class action lawsuits, it is also expected that a number of individual arbitration claims will be filed, which may also impact the total Change Healthcare settlement payouts the company is required to make to resolve the litigation.