Cyberattack Against Change Healthcare Leads to Litigation
Published on 11 Mar 2024
•
USA (National/Federal)
•
by Practical Law Employee Benefits & Executive Compensation
PRACTICAL LAW
•
11 Mar 2024
In the wake of a widespread cyberattack against a health care technology company and business associate (BA) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Change Healthcare, Inc.), an individual affected by the data breach has filed a class action complaint against the BA in a Tennessee district court, asserting various state law claims. In support of the plaintiff's negligence claims, the complaint alleged that the BA failed to safeguard protected health information (PHI) as required under HIPAA's Privacy and Security Rules. The litigation is one of several lawsuits that have recently been brought against the BA or its parent company, a major health insurer, as a result of the cyberattack.
In the wake of a widespread cyberattack against a health care technology company and HIPAA business associate (BA), a patient affected by the data breach has filed a class action complaint against the BA in a Tennessee district court, asserting various state-law claims (
The case is one of several lawsuits that have recently been brought against the BA or its parent company (UnitedHealth Group) as a result of the cyberattack.
Widespread Cyberattack Against the BA
The BA-defendant in this litigation provides payment and revenue cycle services (including patient billing), provider payment management, and other services. In February 2024, the BA experienced a widescale cyberattack that disrupted hospitals' and pharmacies' ability to process claims and receive payments.
The patient-plaintiff in this case, who furnished personal data to the BA in receiving the BA's services, filed a class action lawsuit against the BA after the attack. The patient's complaint alleged that the cyberattack resulted in the unauthorized disclosure of the patients' and other class members' HIPAA PHI (and other personally identifiable information (PII)) to a cybercrime threat actor identified as ALPHV/Blackcat. The complaint alleged that the BA failed to implement reasonable security measures to protect against a foreseeable cyberattack and asserted various state-law claims.
Failure to Comply with HIPAA Rules
In support of the patient's negligence claims, the complaint asserted that the BA had a duty under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) (among other laws) to safeguard the PHI in its possession—but failed to do so.
In addition, the complaint alleged that the BA failed to:
Comply with the requirements under HIPAA and the HITECH Act to implement policies and procedures to safeguard PHI against reasonably anticipated unauthorized uses or disclosures.
The complaint also alleged that the BA was required to:
Sanction workforce members who did not comply with its policies and procedures or HIPAA.
Mitigate, to the extent practicable, any harmful effect that was known to the BA resulting from a use or disclosure of PHI by the BA in violation of the BA's policies and procedures or HIPAA (see Standard Document, HIPAA Business Associate Agreement).
Failure to Follow NIST Security Rule Compliance Guide and Best Practices
According to the complaint, the BA failed to follow numerous industry and cybersecurity best practices, including:
Encrypting data.
Requiring a key for data to be readable.
Using multi-factor authentication (MFA).
Adequately monitoring security systems.
Training staff on information security.
Practical Impact
The Change Healthcare cyberattack has resulted in significant disruptions to health care reimbursements for health providers, some of whom have encountered cash flow challenges due to attack-related delays. The attack has also been the topic of several press releases from the administrative agencies, which noted that the government is actively engaging with private health plans and encouraging them to coordinate with providers (for example, see HHS statement (Mar. 6, 2024); HHS press release (Mar. 5, 2024)). In recent days, the agencies have urged insurance companies and other payers to:
Make available interim/bridge and advance payments to providers affected by the attack.
Offer relaxed billing and claims processing requirements.