39 healthcare providers sue UnitedHealth Group over Change cyberattack
The plaintiffs claim that Change failed to implement cybersecurity safeguards such as multifactor authentication.
Photo: Chris Ryan/Getty Images
Thirty-nine healthcare providers, along with the National Community Pharmacists Association, have filed a class action lawsuit against UnitedHealth Group – plus subsidiaries Optum and Change Healthcare – over the Change Healthcare cyberattack that occurred this year, with plaintiffs claiming they still have not recovered financially from the attack.
The February 21 cyberattack disconnected Change from claims payments for hospitals and physician practices, disrupting provider revenue and financial stability to the point of potential bankruptcy for some practices.
WHAT'S THE IMPACT?
The plaintiffs claim that Change failed to implement cybersecurity safeguards such as multifactor authentication, which they say could have prevented the ransomware attack that left much of the healthcare industry handcuffed when it came to processing claims and payments.
In the months since the attack, the plaintiffs said they've received little if any reimbursement from insurers for patient visits. Without that reimbursement, they claimed, smaller and midsize practices in particular won't be able to afford such basic necessities as staff payroll and medical supplies.
Further, the plaintiffs charge that when UHG, Optum and Change discovered the breach, they shut the entire system down without providing a workable alternative. According to NCPA, that left thousands of pharmacies without any way to process claims.
"Because Defendants disconnected the Change Platform, many healthcare providers lost their primary (and in some cases their only) source of claims processing for their patients and did not receive payment," the complaint read. "Healthcare providers had to absorb these upfront costs."
The plaintiffs are seeking an unspecified amount in damages, plus an injunction preventing similar events from happening again. According to the complaint, the class action could exceed $5 million.
THE LARGER TREND
Change, owned by UHG subsidiary Optum, took its healthcare electronic data interchange offline after it discovered the attack. As the majority of hospitals and numerous physician practices in the country use Change's claims payments system, the disconnection disrupted payment and affected provider revenue.
The American Medical Association said the attack had a financial impact for 94% of hospitals. Over three-quarters of physician practices suffered "severe disruptions," according to AMA.
The Centers for Medicare and Medicaid Services launched accelerated and advance payments in early March to ease cash flow disruptions for hospitals, physicians and pharmacists. Since its launch, accelerated payments have been issued to over 4,200 Part A hospitals providers, totaling more than $2.55 billion. CMS also issued 4,722 advance payments, totaling more than $717.18 million, to Part B suppliers, including doctors, nonphysician practitioners and durable medical equipment suppliers.
After July 12, CMS will no longer accept new applications for CHOPD accelerated or advance payments.
Change has given regular updates as it has worked to bring systems back online. The cyberattack was ransomware, with UnitedHealth CEO Andrew Witty making the decision to pay $22 million in bitcoin ransom to protect patient information.
Providers of services and suppliers are now successfully billing Medicare, CMS said.
Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.
