UnitedHealth sued by pharmacists, providers hurt by Change Healthcare hack
UnitedHealth Group and its subsidiaries, Optum and Change Healthcare, are facing a lawsuit filed by a large pharmacy group and dozens of providers who argue they are facing ongoing and undue financial disruptions.
The National Community Pharmacists Association—a trade group representing 19,000 members—and nearly 40 provider organizations argue UnitedHealth, et al., failed to ensure adequate security over patient and payer data, resulting in the February ransomware attack on Change Healthcare.
During the outage, the Centers for Medicare and Medicaid Services (CMS) deployed a system for emergency reimbursement. However, the plaintiffs argue the extended, months-long outage has left them struggling to receive full payment for care delivered, as Change Healthcare processes a massive number of claims.
The lawsuit is seeking class-action status, with pharmacists and providers saying reimbursement is still not at pre-cyberattack levels, leaving their businesses struggling with revenue generation. Specifically, the plaintiffs claim they are still having difficulty submitting bills, verifying the insurance of patients and ultimately receiving payments.
The problem is worse for small and medium-sized provider groups, the court filing claims.
Further, the lawsuit laments a lack of communication from Change Healthcare regarding the current status of recovery. Providers pleaded with UnitedHealth and the government for months to provide adequate guidance on the status of HIPAA-required patient notifications.
In June, Change Healthcare and its parent company, UnitedHealth, acknowledged that personal medical data had been exposed to hackers during the breach. They began notifying providers whose patients were affected, with patient notifications following in July.
Patient data was put up for sale on the darkweb in April. At that time, UnitedHealth said it was still investigating the full impact of the breach. Hackers were ultimately able to gain access to Change Healthcare because a server lacked multifactor authentication, UnitedHealth CEO Andrew Witty confirmed during a hearing with Congress in May.
Other hospitals and provider groups have already filed separate lawsuits against UnitedHealth, et al. It is not clear how those will be affected by this new lawsuit, which was filed July 19.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.