Class action lawsuits pile up over UnitedHealth data breach
Send a link to a friend
 [March 14, 2024]
By Brendan Pierson
(Reuters) - UnitedHealth Group has already been hit with at least six
class action lawsuits accusing it of failing to protect millions of
people's personal data from last month's hack of Change Healthcare, its
payment processing unit, with more lawsuits likely to come.
In a motion filed late on Tuesday in Washington, D.C., plaintiffs'
lawyers asked a federal judicial panel to consolidate the six cases in
federal court in Nashville, Tennessee, where Change is headquartered,
and said they expected more cases to be filed.
It is not known how large the litigation could become because it is not
clear how much or what kind of information was compromised in the
attack, which was carried out by the ransomware hacker group BlackCat.
UnitedHealth, which disclosed the attack on Feb. 21 without specifying
how many people were affected, said in a statement Wednesday that it was
focused restoring Change's operations.
UnitedHealth hasn't said if BlackCat demanded ransom, but a post on an
online forum used by hackers claimed the company paid $22 million to the
hackers for regaining access to its locked systems.
Under the Health Insurance Portability and Accountability Act (HIPAA), a
U.S. health privacy law, companies have 60 days after discovering a data
breach to notify affected individuals that their personal information
has been compromised.
For breaches affecting more than 500 people, the company must notify
federal regulators and prominent media. UnitedHealth has so far not
given such a notice.
Change processes about 50% of the medical claims in the United States
for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and
600 laboratories.
The attack has halted Change's operations, leaving providers, including
major hospital systems, small medical practices and pharmacies unable to
collect payments. According to UnitedHealth's website, Change is
expected to resume processing payments by March 15.
[to top of second column]
|
The corporate logo of the UnitedHealth Group appears on the side of
one of their office buildings in Santa Ana, California, U.S., April
13, 2020. REUTERS/Mike Blake/File Photo
 All of the lawsuits claim that
Change failed to safeguard patients' personal information, putting
them at risk of identity theft and privacy violations. Some also
allege that patients have been unable to fill prescriptions because
their insurance claims cannot be processed, putting their health at
risk.
Plaintiffs say that information stored by Change, and now
potentially at risk, includes medical records, payment information,
names and Social Security numbers. One of the lawsuits says that
"information from the data breach is on the dark web and already
being offered for sale," though it does not provide any details
supporting that claim.
The lawsuits accuse the company of negligence and of violating the
privacy requirements in HIPAA and various state laws.
Four of the lawsuits are filed against Change in Nashville, and two
are filed against UnitedHealth in the parent company's home state of
Minnesota.
Tuesday's motion was filed by the lawyers in the Nashville cases.
Lawyers in the Minnesota cases could file a competing motion to have
the cases moved to their court, in which case the U.S. Judicial
Panel on Multidistrict Litigation would decide where to send them.
(Reporting By Brendan Pierson in New York, Editing by Alexia
Garamfalvi and Aurora Ellis)
[© 2024 Thomson Reuters. All rights reserved.]This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content.
 |
