The National Community Pharmacists Association (NCPA) and more than three dozen healthcare providers from 22 U.S. states have filed a lawsuit against Change Healthcare, Optum, and UnitedHealth Group. The lawsuit stems from the catastrophic ransomware attack and subsequent data breach that occurred in February 2024, which has had far-reaching consequences for patients, healthcare providers, and the involved companies.
In February 2024, Change Healthcare, a prominent healthcare technology company and subsidiary of UnitedHealth Group, fell victim to a sophisticated ransomware attack. The breach compromised a vast amount of sensitive patient data, disrupted healthcare services, and exposed vulnerabilities in the digital infrastructure of numerous healthcare providers. The attackers managed to infiltrate Change Healthcare's systems, encrypt critical data, and demand a substantial ransom for its release.
The ransomware attack had a ripple effect across the healthcare sector, impacting various stakeholders, including community pharmacists and healthcare providers who rely on Change Healthcare's services for billing, data management, and other essential operations. The breach exposed sensitive patient information, leading to potential violations of privacy and increased risks of identity theft and fraud.
John Riggi, the national advisor for cybersecurity and risk at the American Hospital Association (AHA), has provided several insights regarding the National Community Pharmacists Association lawsuit and the broader impact of the Change Healthcare ransomware attack. Riggi emphasized the profound financial and operational repercussions of the attack on the healthcare sector, noting that the disruption has threatened the solvency of many healthcare providers and, consequently, patient care. He stated during a March 16th U.S. House subcommittee hearing about the cyberattack, "The widespread financial impacts caused by the Change Healthcare cyberattack are not only a threat to the solvency of the nation's provider network but also to patients, who won't receive care if providers cannot keep their doors open."
Additionally, Riggi highlighted the risks associated with the consolidation of healthcare technology vendors, which he described as a "consolidation of risk" that leaves the entire healthcare system vulnerable to cyberattacks. He called for a comprehensive, national approach to healthcare cybersecurity, advocating for increased federal support and funding, particularly for smaller and under-resourced healthcare providers.
[RELATED: What's the Prescription for Cyber Resilience in Healthcare?]
In response to the breach and its consequences, the NCPA and the coalition of healthcare providers have taken legal action against Change Healthcare, Optum, and UnitedHealth Group (UHG). The lawsuit, filed in a federal court, alleges that the defendants failed to implement adequate cybersecurity measures to protect sensitive data and prevent such breaches.
The lawsuit outlines several key allegations against Change Healthcare, Optum, and UHG:
-
Negligence: The plaintiffs argue that the defendants were negligent in their duty to secure sensitive healthcare data, citing inadequate cybersecurity protocols and failure to address known vulnerabilities.
-
Breach of contract: The lawsuit claims that the defendants breached their contractual obligations by failing to provide secure and reliable services, resulting in significant operational disruptions and financial losses for healthcare providers.
-
Violation of data protection laws: The plaintiffs contend that the defendants violated various state and federal data protection laws, including the Health Insurance Portability and Accountability Act (HIPAA), by failing to safeguard patient data adequately.
-
Damages and compensation: The lawsuit seeks compensation for the financial losses, reputational damage, and operational disruptions suffered by the healthcare providers due to the ransomware attack and data breach.
"As a result of Defendants' actions, Plaintiffs and Class members did not receive the benefit of their bargain with Defendants and are not receiving the services that they have paid for," the plaintiffs wrote in the lawsuit. "Furthermore, Plaintiffs and Class members have not received payments for their healthcare services or have received late payments depriving them of the time-value of money and loss of interest and have incurred extra costs from switching to another healthcare payment software. And because Defendants do not have adequate redundancies, these consequences continue to harm Plaintiffs and Class members."
The lawsuit highlights several critical issues and lessons for the healthcare sector, particularly for cybersecurity professionals.
The incident underscores the necessity for healthcare organizations to implement comprehensive and robust cybersecurity measures, including regular risk assessments, advanced threat detection systems, and continuous monitoring to identify and mitigate potential threats.
Compliance with data protection laws, such as HIPAA, is crucial for healthcare organizations. The lawsuit emphasizes the legal and financial repercussions of failing to protect sensitive patient data, serving as a cautionary tale for other organizations.
Effective incident response and recovery plans are vital in minimizing the impact of cyberattacks. The fallout from the Change Healthcare breach demonstrates the need for organizations to have well-defined and tested response strategies to handle such incidents promptly and effectively.
B. Douglas Hoey, CEO of the NCPA, has been vocal about the impacts of the Change Healthcare cyberattack. In statements, Hoey emphasized the need for pharmacies to be supported and not left to deal with the aftermath alone. He highlighted the significant effort pharmacies are making to ensure patient care continues despite the disruption, calling for better communication and realistic timelines for restoring claims and e-prescription routing. Hoey also stressed the importance of assurances that pharmacies will not be penalized for their best efforts during this challenging period. The NCPA is actively engaging with stakeholders, including CMS and PBMs, to secure waivers and support for affected pharmacies.