Cyberattack Against Change Healthcare Leads to Litigation
Published on 11 Mar 2024
USA (National/Federal)
by Practical Law Employee Benefits & Executive Compensation
PRACTICAL LAW
11 Mar 2024
In the wake of a widespread cyberattack against a health care technology company and business associate (BA) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Change Healthcare, Inc.), an individual affected by the data breach has filed a class action complaint against the BA in a Tennessee district court, asserting various state law claims. In support of the plaintiff's negligence claims, the complaint alleged that the BA failed to safeguard protected health information (PHI) as required under HIPAA's Privacy and Security Rules. The litigation is one of several lawsuits that have recently been brought against the BA or its parent company, a major health insurer, as a result of the cyberattack.
In the wake of a widespread cyberattack against a health care technology company and HIPAA business associate (BA), a patient affected by the data breach has filed a class action complaint against the BA in a Tennessee district court, asserting various state-law claims (
Merry v. Change Healthcare Inc., 3:24-CV-00239
(M.D. Tenn. Mar. 1, 2024)). In support of the patient's negligence claims, the complaint alleged that the BA failed to safeguard protected health information (PHI) as required under HIPAA's Privacy and Security Rules (see HIPAA Privacy, Security, and Breach Notification Toolkit).
The case is one of several lawsuits that have recently been brought against the BA or its parent company (UnitedHealth Group) as a result of the cyberattack.

Widespread Cyberattack Against the BA

The BA-defendant in this litigation provides payment and revenue cycle services (including patient billing), provider payment management, and other services. In February 2024, the BA experienced a widescale cyberattack that disrupted hospitals' and pharmacies' ability to process claims and receive payments.
The patient-plaintiff in this case, who furnished personal data to the BA in receiving the BA's services, filed a class action lawsuit against the BA after the attack. The patient's complaint alleged that the cyberattack resulted in the unauthorized disclosure of the patients' and other class members' HIPAA PHI (and other personally identifiable information (PII)) to a cybercrime threat actor identified as ALPHV/Blackcat. The complaint alleged that the BA failed to implement reasonable security measures to protect against a foreseeable cyberattack and asserted various state-law claims.

Failure to Comply with HIPAA Rules

In support of the patient's negligence claims, the complaint asserted that the BA had a duty under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) (among other laws) to safeguard the PHI in its possession—but failed to do so.
The complaint alleged that the BA failed to comply with HIPAA's Privacy and Security Rules (see HIPAA Privacy, Security, and Breach Notification Toolkit). According to the complaint, the BA was aware of the vulnerability in its computer network that was exploited during the cyberattack. However, the BA allegedly failed to take steps to secure its systems and protect the PHI from unauthorized disclosure, despite PHI being valuable to cybercriminals and the increasing risk of cyberattacks in the healthcare industry (see Legal Update, In Its Second-Ever HIPAA Settlement on Ransomware, HHS Offers Best Practices for Avoiding Cyberattacks and Practice Note, HIPAA Enforcement: Settlement Agreements).
The complaint alleged that the BA failed to comply with HIPAA Security Rule provisions under which HIPAA covered entities (CEs) and BAs must:
  • Ensure the confidentiality, integrity, and availability of all PHI created, received, maintained, or transmitted by the CE or BA.
  • Ensure that workforce members comply with the Security Rule.
  • Protect against any reasonably anticipated:
    • threats or hazards to the security or integrity of the electronic PHI (ePHI); and
    • uses or disclosures of ePHI that are not permitted or required.
  • Review and modify security measures to ensure that they provide reasonable and appropriate protection of PHI.
  • Implement technical policies and procedures that protect and control access to PHI.
(For more information on HIPAA Security Rule compliance, see Practice Notes, HIPAA Security Rule: Overview and Administrative Safeguards and HIPAA Security Rule: Physical Safeguards, Technical Safeguards, and Other Issues.)
In addition, the complaint alleged that the BA failed to:
  • Comply with the requirements under HIPAA and the HITECH Act to implement policies and procedures to safeguard PHI against reasonably anticipated unauthorized uses or disclosures.
  • Provide prompt breach notification to affected individuals (see Practice Note, HIPAA Breach Notification Rules).
The complaint also alleged that the BA was required to:
  • Sanction workforce members who did not comply with its policies and procedures or HIPAA.
  • Mitigate, to the extent practicable, any harmful effect that was known to the BA resulting from a use or disclosure of PHI by the BA in violation of the BA's policies and procedures or HIPAA (see Standard Document, HIPAA Business Associate Agreement).

Failure to Follow NIST Security Rule Compliance Guide and Best Practices

The complaint also alleged that the BA failed to meet standards set out in the National Institute of Standards and Technology's (NIST's) Security Rule compliance guide. (For information on the recently updated version of the NIST guide, see Legal Update, In Updated HIPAA Security Rule Guide, NIST Addresses Cybersecurity and Other Topics.)
According to the complaint, the BA failed to follow numerous industry and cybersecurity best practices, including:
  • Encrypting data.
  • Requiring a key for data to be readable.
  • Using multi-factor authentication (MFA).
  • Adequately monitoring security systems.
  • Training staff on information security.

Practical Impact

The Change Healthcare cyberattack has resulted in significant disruptions to health care reimbursements for health providers, some of whom have encountered cash flow challenges due to attack-related delays. The attack has also been the topic of several press releases from the administrative agencies, which noted that the government is actively engaging with private health plans and encouraging them to coordinate with providers (for example, see HHS statement (Mar. 6, 2024); HHS press release (Mar. 5, 2024)). In recent days, the agencies have urged insurance companies and other payers to:
  • Make available interim/bridge and advance payments to providers affected by the attack.
  • Offer relaxed billing and claims processing requirements.
(HHS/DOL press release (Mar. 12, 2024); HHS press release (Mar. 10, 2024) (also signed by the Department of Labor (DOL)).
As the plaintiff in this litigation and many cybersecurity experts have asserted, data breaches such as the Change Healthcare attack are largely preventable if CEs and BAs adopt and follow robust safeguards. To this end, HHS recently provided HIPAA CEs and BAs a list of best practices that CEs and BAs can use to prevent or mitigate cyber-threats (see Legal Update, In Its Second-Ever HIPAA Settlement on Ransomware, HHS Offers Best Practices for Avoiding Cyberattacks: Best Practices for Preventing or Mitigating Cyber-Threats). In a related development, HHS and NIST issued an updated compliance guide addressing the HIPAA Security Rule. The updated 2024 guide offers drill-down information on complying with the Security Rule's administrative, physical, and technical safeguards for PHI in electronic form (see Legal Update, In Updated HIPAA Security Rule Guide, NIST Addresses Cybersecurity and Other Topics).
End of Document
Resource ID w-042-6011Document Type Legal update: archive
Products

PLC US Data Privacy & Cybersecurity, PLC US Employee Benefits and Executive Compensation, PLC US Law Department

© 2024 Thomson Reuters. No claim to original U.S. Government Works.