Lawsuit Alleges Change Healthcare Data Breach Caused by “Reckless Violations” of Customer Privacy

Following a massive Change Healthcare data breach earlier this year, which allowed hackers to access social security numbers and other private health records of more than 100 million Americans, a recently filed class action lawsuit indicates that the problems were caused by a flagrant disregard for the importance of protecting against the disclosure of this sensitive information.

The complaint (PDF) was brought in the U.S. District Court for the District of Minnesota on October 25, seeking class action status to pursue damages directly from Change Healthcare,  since the company failed to take necessary precautions or follow basic security protocols to prevent hackers from accessing protected health information (PHI) or personal identifying information (PII).

Change Healthcare Data Breach

Change Healthcare is not a company that is well known among most U.S. patients.  However, it provides critical software, analytics and services for medical providers throughout the healthcare system, with some estimates suggesting that one out of every three Americans has their private health information pass through the company’s servers.

Earlier this year Change Healthcare announced that it was the victim of a ransomware attack by a Russian group known as Blackcat, and the company paid the hackers $22 million in bitcoins to re-access its own customer database. However, by then the hackers had already accessed millions of customers’ private medical records and health information, placing individuals at risk for fraud, identity theft, blackmail and severe emotional distress.

Although the data was compromised in February, Change Healthcare data breach notices did not start going out to impacted patients until September, and new information continues to emerge about the security failures at Change Healthcare, which this new lawsuit indicates amount to “willful and reckless violations” of patient privacy rights.

The Change Healthcare lawsuit claims that the data breach placed patients at an “imminent, immediate and continuing” risk of identity theft, identity fraud and medical fraud, as the information is likely to be sold or otherwise trade hands among different nefarious groups.

Plaintiffs seek certification for a nationwide class, including all individuals who had their private information compromised in the data breach, indicating these victims now face a nearly 10 times greater risk of fraud, when compared to other U.S. consumers.

According to allegations in the complaint, the Change Healthcare data breach was a direct result of a lack of adequate cybersecurity measures employed by the company, which was part of a cost-saving attempt that put Change Healthcare’s bottom line over the needs and security of its patients.

Hackers exploited a glaring vulnerability in the Change Healthcare software, allowing them to access patients’ Social Security numbers, full names, birth dates, driver’s license and other state identification numbers, medical claims information, provider information, clinical information, health insurance information, and addresses.

“Defendants flagrantly disregarded Plaintiff’s and the Class Members’ privacy and property rights by intentionally, willfully and recklessly failing to take the necessary precautions required to safeguard and protect Plaintiff’s and the Class Members’ PHI and PII from unauthorized disclosure,” the lawsuit states. “Plaintiff’s and the Class Members’ PHI and PII was improperly handled, inadequately protected, and not kept in accordance with basic security protocols.”

The complaint presents claims of breach of implied contract, breach of contract, common law negligence, breach of the Minnesota Uniform Deceptive Trade Practices Act, negligent training and supervision, negligence Per Se, and breach of fiduciary duty of confidentiality.

November 2024 Change Healthcare Data Breach Lawsuit Update

Given common questions of fact and law presented in lawsuits over the Change Healthcare data breach filed throughout the federal court system, centralized pretrial proceedings have been established in the District of Minnesota, where Judge Donovan W. Frank is presiding over coordinated pretrial proceedings to reduce duplicative discovery into common issues in the litigation, avoid conflicting rulings from different courts, and serve the convenience of common witnesses in the claims.

Over the coming weeks and months, the size and scope of the litigation is expected to continue to expand, as many individuals impacted are just now receiving notice about the data breach, and contacting lawyers to pursue potential Change Healthcare lawsuits.

In addition to class action complaints, it is also expected that a number of individual claims will be filed, both in the U.S. court system, as well as through an arbitration process, which may provide the opportunity for impacted individuals to obtain Change Healthcare settlements.