Change Healthcare Lawsuit Filed Over Release of Sensitive Health Information in Data Breach

A Pennsylvania woman has filed a class action lawsuit over the recent Change Healthcare data breach, saying that the technology company not only failed to secure patients’ private health information (PHI), but also failed to adequately inform individuals nationwide when that data was stolen.

The complaint (PDF) was brought by Paulette Bensignor in the U.S. District Court for the District of Minnesota on October 1, seeking class action status to pursue damages on behalf of herself and millions of other patients affected by the data breach.

While Change Healthcare is not well known among most patients, it provides software, analytics and services for medical providers throughout the U.S. healthcare system, with some estimates suggesting that one out of every three individuals has their private health information pass through the company’s servers. Change Healthcare, Inc. is a part of Optum, Inc. and UnitedHealth Group (UHG) Inc., which were all named as defendants in the lawsuit.

In February, Change Healthcare announced it had been hacked through a ransomware attack by a Russian group known as Blackcat, which blackmailed the company into paying $22 million in bitcoins to be able to re-access its own customer data. However, the Change Healthcare data breach gave the hackers access to millions of customers’ private medical records and health information, placing individuals at risk for fraud, identity theft, blackmail and severe emotional distress.

Although the data was compromised months ago, Change Healthcare notices of the data breach just started going out to patients impacted, and many are just now learning about the incident.

According to her Change Healthcare lawsuit, Bensignor indicates that she had her health insurance through UnitedHealthcare, and is now concerned over the safety of that information and the risks of identity fraud.

As a result, she has suffered anxiety and emotional distress, and committed time and resources to secure her data and her accounts against potential fraud. The lawsuit indicates the defendants should be held liable for putting patients’ data at risk and seeks to represent all such affected patients through the class action lawsuit.

“Plaintiff initiates this class action lawsuit representing herself and all individuals in a similar situation to address the Defendants’ insufficient protection of Class Members’ PHI, which it collected and maintained,” her lawsuit states. “Further, the lawsuit addresses the Defendants’ failure to promptly and adequately notify the Plaintiff and other Class Members about the unauthorized access of her information by an unknown third party, as well as the precise type of information that was accessed.”

Bensignor presents claims of negligence, negligence per se, breach of implied contract and unjust enrichment. The lawsuit also wants the court to declare UHG’s cybersecurity to be insufficient and order it to establish policies and procedures ensuring patients’ personal information is reasonably secure.

Change Healthcare Data Breach Lawsuits

Bensignor’s class action joins several Change Healthcare data breach lawsuits filed to date, all arguing that the release of Social Security numbers and medical information poses risks that plaintiffs could endure for decades, and that such breaches could lead to sustained identity theft, financial fraud and misuse of health data, impacting credit, employment, insurance and medical services long-term.

Given common questions of fact and law raised in the growing number of Change Healthcare lawsuits, the litigation has been consolidated in the U.S. District Court of Minnesota under Judge Donovan W. Frank for coordinated pretrial proceedings since June, to reduce duplicative discovery into common issues in the litigation, avoid conflicting rulings from different courts, and serve the convenience of common witnesses in the claims.

Over the coming weeks and months, the size and scope of the litigation is expected to continue to expand, as many individuals impacted are just now receiving notice about the data breach, and contacting lawyers to pursue potential Change Healthcare lawsuits.

In addition to class action complaints, it is also expected that a number of individual claims will be filed, both in the U.S. court system, as well as through an arbitration process, which may provide the opportunity for impacted individuals to obtain Change Healthcare settlements.