On December 19, 2025, the U.S. District Court for the District of Minnesota (the Court) issued a significant decision in the Change Healthcare cybersecurity multidistrict class action, largely denying defendants’ motion to dismiss claims brought by health care providers nationwide. The Court permitted core negligence and breach-of-contract claims to proceed against Change Healthcare (Change), UnitedHealth Group (United), and affiliated Optum entities, dismissing only narrower negligence-per-se theories premised on HIPAA and the Federal Trade Commission Act.
For medical practices continuing to deal with the financial fallout of the February 2024 claims-processing shutdown—and for those disputing repayment demands tied to the Temporary Funding Assistance Program (TFAP)—the ruling represents a meaningful and provider-favorable development.
Court Recognizes Providers’ Operational and Financial Harm
Change serves as critical national infrastructure for eligibility verification, claims submission, and reimbursement. Following the ransomware attack and prolonged shutdown, providers across the country were unable to submit claims or receive payment, triggering cash-flow crises, deferred payroll, and disruptions to patient care.
The court rejected defendants’ attempt to characterize these harms as too remote or speculative. Instead, it held that providers plausibly alleged a duty of reasonable care and that widespread operational disruption is a foreseeable consequence of deficient cybersecurity. Importantly, the court recognized that providers may pursue recovery for lost revenue and business interruption caused by the shutdown itself—not merely for harms tied to data misuse.
Negligence and Contract Claims Move Forward
The court allowed providers’ negligence claims to proceed, finding that alleged cybersecurity failures and the resulting system outage could plausibly be linked to providers’ economic losses. The absence of direct data misuse did not bar recovery where operational harm was foreseeable.
The court also sustained breach-of-contract claims, holding that providers adequately alleged that Change failed to meet contractual obligations to maintain secure systems and ensure continuity of critical services. These rulings reinforce that health care technology vendors remain contractually accountable when cybersecurity failures disrupt core operations.
Strengthened Position in TFAP Recoupment Disputes
The decision has particular significance for providers disputing Change or United’s efforts to recoup TFAP advances. Change and United have frequently characterized TFAP payments as routine, short-term loans subject to automatic repayment through future offsets.
By allowing negligence and breach-of-contract claims to proceed, the court recognized that providers plausibly allege they were forced into TFAP participation as a direct result of defendants’ own misconduct. Where emergency funding is extended to mitigate harm caused by a vendor’s breach, providers may have substantial defenses to unilateral recoupment, including arguments grounded in offset, causation, breach, and equity.
What Happens Next in the Litigation?
With the pleadings stage largely complete, the case is expected to move into discovery focused on cybersecurity controls, incident response decision-making, internal communications, and the design and administration of the TFAP program. Providers should expect defendants to continue disputing causation, damages, and the characterization of TFAP advances, while plaintiffs will seek evidence tying the shutdown—and the need for emergency funding—directly to defendants’ conduct.
As discovery progresses, the court may also address class certification issues and additional motions directed at damages models and recoupment defenses. In parallel, the court’s rulings are likely to influence negotiations and litigation strategy in individual provider disputes involving TFAP repayment demands and contract enforcement.
Takeaway for Medical Providers
This decision marks an important step forward for medical providers affected by the Change Healthcare outage. It confirms that courts are receptive to claims based on operational shutdowns, lost reimbursement, and forced reliance on emergency funding programs like TFAP. Providers currently facing TFAP repayment demands, offsets, or contract disputes should consider this ruling carefully as the litigation continues to unfold.
Should you have any questions regarding the above, please contact the author, the Garfunkel Wild attorney with whom you regularly work, or contact us at [email protected].
