Change Healthcare Cyber Attack Compromised 100 Million U.S. Patients’ Health Information

New information continues to emerge about the size and scope of a data breach at Change Healthcare, as the company confirms that personal health information on a total of 100 million individuals was stolen in the cyber attack, which may have been the result of a compromised employee password that was not protected by multi-factor authentication (MFA).

While Change Healthcare is not well-known among patients, the company provides critical software, analytics and services for medical providers throughout the U.S. healthcare system. Some estimates suggest that one out of every three individuals in the United States has their private health information pass through servers at Change Healthcare, which is a part of Optum Inc. and UnitedHealth Group Inc.

In February 2024, the Russian hacking group ALPHV, also known as BlackCat, accessed patient information that was stored on these Change Healthcare servers in a massive data breach. However, many individuals are just now receiving notice of the Change Healthcare cyber attack, and there remain many more questions than answers.

This week, the U.S. Department of Health and Human Services (HHS) published an update to its data breach portal, which now indicates that a total of 100 million individuals may have had their private health information and other personal data compromised, making it the largest healthcare data breach in U.S. history.

The update does not confirm the exact nature of information obtained in the cyber attack, but Change Healthcare had vast amounts of personal data about individual patients, including names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, driver’s license numbers, passport numbers and banking information. They also have private health information, which could reveal diagnoses, medications, test results and treatment plans.

As a result of the data breach, individuals throughout the U.S. not only face a risk of financial fraud and identity theft, but could also be subject to blackmail, harassment or other attacks. As a result, a rapidly growing number of Change Healthcare cyber attack lawsuits and individual arbitration claims are being filed by individuals who believe their personal information may have been compromised.

While investigations continue into the root cause of the Change Healthcare cyber attack, there is growing information that the data breach was caused by a failure to employ stringent and industry standard password requirements for employees with access to the information.

In written testimony (PDF) submitted in advance of a hearing before the U.S. House Energy and Commerce Subcommittee on Oversight and Investigations in April 2024, UnitedHealth CEO Andrew Witty confirmed that cybercriminals were able to access an employee portal using compromised log-in credentials. He confirmed that the portal did not have multi-factor authentication, which has been a widely adopted layer of security in the healthcare industry, and prevents unauthorized access even when a password has been stolen.

After the cyberattack on Change Healthcare, the hacker group then blackmailed the company into paying $22 million in bitcoins to be able to re-access its own customer data. Although the data was eventually recovered, the hackers gained access to millions of customers’ personal information and health records.

Change Healthcare Cyber Attack Lawsuits

As more and more individuals have come to realize that their personal information has been compromised in the data breach, a series of Change Healthcare lawsuits have been filed in U.S. federal courts.

Many of the lawsuits argue that the release of customers’ sensitive information, such as Social Security numbers and medical records, poses risks that the individuals could endure for decades, and that this breach could lead to identity theft, financial fraud and misuse of health data, which could have a long-term impact on individuals’ credit, employment, insurance and medical services.

Given common questions of fact and law raised in the growing number of complaints filed throughout the federal court system, all Change Healthcare cyber attack lawsuits have been consolidated in the U.S. District Court of Minnesota under Judge Donovan W. Frank since June 2024.

Judge Frank is currently presiding over coordinated pretrial proceedings to reduce duplicative discovery into common issues in the litigation, avoid conflicting rulings from different courts, and serve the convenience of common witnesses in the claims.

Given the number of individuals who had their personal health information compromised in the cyberattack, it is expected that the size and scope of the litigation will continue expanding over the coming months, as an increasing number of individuals learn they were impacted by the Change Healthcare data breach, and contact lawyers to pursue potential lawsuits.