- September 19, 2024
- Alerts
Update on Change Healthcare Class Action Litigation
The cybersecurity attack on Change Healthcare (“Change”), a subsidiary of the UnitedHealth Group, has caused widespread disruption, impacting health care providers and individuals whose personal data was compromised. This breach has led to numerous class action lawsuits, divided into two main groups: providers affected by the claims processing shutdown and individuals whose data was leaked. In June 2024, approximately 50 lawsuits were centralized into a Multi-District Litigation (MDL) in federal court in Minnesota. On September 17, 2024, the first conference in the matter occurred. As the litigation progresses, motions to dismiss, potential mediation, and class certification are expected to shape the case.
Providers who feel they have been harmed by an inability to submit claims and/or receive payments should seek appropriate counsel to evaluate their legal options.
For a full summary of the class action, see below:
Background
On February 21, 2024, Change, a major player in the health care claims processing industry, was the victim of an unprecedented cybersecurity attack. The hacker group, known as ALPHV/Blackcat, gained access to Change’s computer systems and deployed ransomware. The attack disrupted services and systems nationwide while simultaneously siphoning terabytes of sensitive health information.
Upon detecting the intrusion, Change took a significant portion of its network offline. As a result, crucial functions—such as patient authorizations, provider claims processing, and pharmacy claims transactions—were severely impacted. The fallout from this breach has reverberated throughout the health care industry. In addition to the exposure of millions of Americans' private health information, the breach has caused catastrophic financial and logistical disruptions nationwide, leaving countless physicians and practices unable to submit claims or receive payments for those already submitted.
The Resulting Class Actions
Not surprisingly, numerous class action lawsuits have been filed against Change across the country related to the data breach and disruption in claims processing. The lawsuits generally fall into one of two categories: health care providers and individuals. One set of lawsuits is brought by health care providers, who allege that they and/or their practice suffered harm as a result of the suspension in claims processing. The other set of lawsuits involves individuals whose data was allegedly stolen and leaked onto the dark web.
On June 7, 2024, the United States Judicial Panel on Multi-District Litigation centralized roughly 50 of these lawsuits in the federal court of Minnesota under an action captioned In re: Change Healthcare, Inc. Customer Data Security Breach Litigation (Docket No. 24 Md. 3108 (DWF/DJF)) (the “MDL”), presided over by the Honorable Donovan W. Frank. Since then, additional lawsuits have commenced in other state courts, which have since been consolidated, while new cases continue to arise.
The MDL actions are in their infancy. In fact, there has not been a date set for Change to respond to the various lawsuits. Most recently, on September 17, 2024, the initial pre-trial status conference was held in the MDL.
The preliminary conference for the MDL addressed several early and crucial procedural points. The parties informed the Court that the MDL, at least preliminarily, will proceed on two main tracks: one for patients whose confidential information was leaked, and another for health care providers who are asserting claims related to delays or denials of reimbursement due to the Change service shutdowns. However, counsel for the respective parties were mindful that further factual development might reveal potential sub-groups and/or tracks within the provider track (e.g. hospitals, pharmacists, and physical therapy groups).
The parties also discussed next steps in the matter. Plaintiffs will file Consolidated Complaints for the actions, likely streamlining the litigation. Change is likely to file a motion to dismiss, and it appears that it plans to argue that, on the provider side, it does not have an absolute duty to provide uninterrupted services. The parties seemed open to early mediation discussions once the motions to dismiss are resolved.
After the Court decides the motions to dismiss, one of the next issues will be “class certification” (where the Court defines who would be considered part of the class action). This will affect providers around the country.
The next status conference is currently scheduled for November 21, 2024, with planned status conferences to occur monthly beginning in 2025.
Should you have any questions regarding the above, the Change Healthcare Cyberattack, or the Multi-District Litigation in general, please contact the authors, the Garfunkel Wild attorney with whom you regularly work, or contact us at info@garfunkelwild.com.
Providers who feel they have been harmed by an inability to submit claims and/or receive payments should seek appropriate counsel to evaluate their legal options.
For a full summary of the class action, see below:
Background
On February 21, 2024, Change, a major player in the health care claims processing industry, was the victim of an unprecedented cybersecurity attack. The hacker group, known as ALPHV/Blackcat, gained access to Change’s computer systems and deployed ransomware. The attack disrupted services and systems nationwide while simultaneously siphoning terabytes of sensitive health information.
Upon detecting the intrusion, Change took a significant portion of its network offline. As a result, crucial functions—such as patient authorizations, provider claims processing, and pharmacy claims transactions—were severely impacted. The fallout from this breach has reverberated throughout the health care industry. In addition to the exposure of millions of Americans' private health information, the breach has caused catastrophic financial and logistical disruptions nationwide, leaving countless physicians and practices unable to submit claims or receive payments for those already submitted.
The Resulting Class Actions
Not surprisingly, numerous class action lawsuits have been filed against Change across the country related to the data breach and disruption in claims processing. The lawsuits generally fall into one of two categories: health care providers and individuals. One set of lawsuits is brought by health care providers, who allege that they and/or their practice suffered harm as a result of the suspension in claims processing. The other set of lawsuits involves individuals whose data was allegedly stolen and leaked onto the dark web.
On June 7, 2024, the United States Judicial Panel on Multi-District Litigation centralized roughly 50 of these lawsuits in the federal court of Minnesota under an action captioned In re: Change Healthcare, Inc. Customer Data Security Breach Litigation (Docket No. 24 Md. 3108 (DWF/DJF)) (the “MDL”), presided over by the Honorable Donovan W. Frank. Since then, additional lawsuits have commenced in other state courts, which have since been consolidated, while new cases continue to arise.
The MDL actions are in their infancy. In fact, there has not been a date set for Change to respond to the various lawsuits. Most recently, on September 17, 2024, the initial pre-trial status conference was held in the MDL.
The preliminary conference for the MDL addressed several early and crucial procedural points. The parties informed the Court that the MDL, at least preliminarily, will proceed on two main tracks: one for patients whose confidential information was leaked, and another for health care providers who are asserting claims related to delays or denials of reimbursement due to the Change service shutdowns. However, counsel for the respective parties were mindful that further factual development might reveal potential sub-groups and/or tracks within the provider track (e.g. hospitals, pharmacists, and physical therapy groups).
The parties also discussed next steps in the matter. Plaintiffs will file Consolidated Complaints for the actions, likely streamlining the litigation. Change is likely to file a motion to dismiss, and it appears that it plans to argue that, on the provider side, it does not have an absolute duty to provide uninterrupted services. The parties seemed open to early mediation discussions once the motions to dismiss are resolved.
After the Court decides the motions to dismiss, one of the next issues will be “class certification” (where the Court defines who would be considered part of the class action). This will affect providers around the country.
The next status conference is currently scheduled for November 21, 2024, with planned status conferences to occur monthly beginning in 2025.
Should you have any questions regarding the above, the Change Healthcare Cyberattack, or the Multi-District Litigation in general, please contact the authors, the Garfunkel Wild attorney with whom you regularly work, or contact us at info@garfunkelwild.com.