CASE BACKGROUND
Defendants Change Healthcare Inc., Optum, Inc., and UnitedHealth Group Inc. operate an enormous clearinghouse that processes between 1/3 and 1/2 of all healthcare insurance claims in the United States. Defendants process approximately 15 billion healthcare insurance claims per year with a combined value of more than $1.5 trillion per year—roughly 5% of the annual gross U.S. domestic product. And their data systems hold the personally identifiable information (PII) and personal health information (PHI) of approximately 100 million U.S. citizens—roughly 1/3 of the country’s population.
Defendants were aware that the enormous trove of sensitive personal data they possessed would be an irresistible target for cyberthieves. The U.S. government warned them that there were at least 70 cyberattacks since December 2023, mostly against healthcare organizations. Despite knowing the risks, defendants failed to take even basic precautions to protect the sensitive PII and PHI held in their data systems. Yet on February 21, 2024, a dark web entity known as BlackCat or AlphV was able to steal the PHI and PII because they obtained a compromised username and password, with nothing more required to access defendants’ data systems.
Once defendants became aware of the cyberattack, they immediately shut down their entire network to prevent further damage. Consequently, roughly 40 million healthcare transactions went unprocessed every day the system was shut down. Some services are still not functioning. Others took weeks to return to service. This is partly due to defendants’ negligent failure to institute a Business Continuity Plan and a Disaster Recovery Plan. These widely used protocols are designed to minimize the impact of cyberattacks by maintaining redundant, secure backup systems offline that enable a rapid rebuild of the hacked data systems, among other steps.
Due to defendants’ negligence, the PII and PHI of approximately 100 million citizens are now in the hands of cybercriminals, leaving those individuals vulnerable to identity theft and other injuries for the foreseeable future. Millions of patients nationwide were and are unable to access the healthcare and medications they need. In addition, thousands of healthcare providers have suffered financial harm because they have not received the insurance payments they rely on to keep their businesses solvent.
%20(2).png?width=2240&height=1260&name=Blog%20Pictures%20(Blog%20Banner)%20(2).png)
CASE FILED
On July 25, 2024, the Joseph Saveri Law Firm, LLP and co-counsel filed a complaint on behalf of a class of nationwide patients against Change Healthcare Inc., Optum, Inc., and UnitedHealth Group Inc. The suit, filed in the United States District Court of Minnesota, alleges defendants failed to protect the sensitive and confidential personal identifiable information and personal health information of millions of U.S. patients. The class alleges claims for negligence, negligence per se, and unjust enrichment, and seeks a jury trial and all available monetary and equitable relief.
CONTACT US
If you wish to inform us of any unfair business practice, antitrust or competition issue, or comment on one of our cases, please use the form below. There is no cost or obligation for our review of your case. We agree to protect your name and all confidential information you submit against disclosure, publication, or unauthorized use to the full extent under the law. Please note that completion of this form does not contractually obligate our firm to represent you. We can only represent you if both you and our firm agree, in writing, that we will serve as your attorney. Please read our disclaimer. Any information you provide to us will be kept strictly confidential as provided by law.