UnitedHealthcare Data Breach Has Far-Reaching Effects, Says Class Action

Repercussions of the UHG breach will continue to cause significant disruptions in healthcare, as the medical insurer processes 15 billion transactions annually, affecting a third of all patient records in the U.S., the complaint said. To mitigate the cybersecurity threat, UHG took certain systems offline, it said, causing “immobilization without the functionality of UHG’s systems."

The breach’s repercussions are also “severely impeding” the operations of healthcare providers, the complaint said, quoting an American Hospital Association adviser saying the attack has “impacted every hospital in the country to some extent.” Many providers are having difficulty verifying patient eligibility and coverage, processing claims and invoicing patients, the complaint said.

Small and mid-size practices are “exceptionally vulnerable without the usual cash flow to sustain their operations” and have been unable to receive reimbursement from insurers for patient visits, affecting their ability to cover employee payroll and medical supplies, the complaint said. Patients are “stranded in a state of prescription limbo, unable to access essential medications,” it said. The situation is “particularly distressing for elderly individuals” with fixed incomes, who rely on insurance for medication, and for those with chronic illnesses “who face life-threatening consequences” without their medications, it said.

In October 2022, UHG acquired Change Healthcare, a claims processor that manages billing for over 67,000 pharmacies, with the goal of integrating it with UHG’s OptumInsight service to “streamline” healthcare providers’ clinical, administrative and payment processes, the complaint said. As part of their routine operations, Optum and Change receive patients’ payment, health information and insurance details, the complaint said, including identities, contact details, Social Security numbers, medical and dental records, payment and claims data, and insurance records, it said.

Plaintiff Debra Hall of Charlotte, North Carolina, received a letter from TransUnion in March about a request it received including her personal information, said the complaint. As it didn’t appear to be sent by Hall or an authorized third party, the credit reporting agency said it would not process the request, the complaint said. Hall has since spent considerable time investigating the breach and monitoring her accounts, it said.

Robyn Russell from Morro Bay, California, who has a spinal cord disability, has various medical supply and device expenses totaling about $4,000 monthly with Medicare plus Medicaid coverage through Medi-Cal, said the complaint. The plaintiff called Medicare in early March to ask about coverage of her supplies. When she gave the agent her Medicare number, she was told it was “incorrect,” the complaint said. The agent said Russell’s card “was breached and that she had been assigned a new number” that she would receive in April, it said.

Russell received her new Medicare card in March, but her providers said they couldn’t update her information until April 1. She had recently received a power chair that was billed to her old, incorrect Medicare number and has suffered emotional distress as a result of the data breach and its potential impact on her ability to pay for medical care and supplies, the complaint said. Russell believes her medical claims were on the Change platform, with her patient account numbers, health insurance information, medical record identifiers, dates of military service and provider names, the complaint said.

Despite statements in both companies’ privacy policies saying they protect patients’ data, and that their sensitive information is only available to personnel who need to access it, a Feb. 22 UHG SEC filing revealed that a “suspected nation-state associated cyber threat actor had accessed some of the Change Healthcare IT systems,” the complaint said.

Ransomware group Alphv/Blackcat took responsibility for the cyberattack a week after the UHG SEC filing disclosed the breach, saying it breached UHG’s servers and obtained 6 terabytes of confidential data that also included sensitive data from Medicare, Tricare, CVS, Loomis, MetLife and others, said the complaint. The group’s modus operandi typically involves stealing victims’ data and encrypting the institution’s networks and servers, “effectively denying access to them,” it said. The group then demands a ransom in exchange for providing decryption keys. Though Blackcat “pledges not to publish” the institution’s data on the dark web if the ransom is paid, compromised data often still surfaces there, said the complaint.

The plaintiffs allege UHG’s cybersecurity practices and policies were “insufficient” and fell short of industry-standard measures “that should have been in place well before” the breach occurred. The healthcare sector is a “prime target for cyberattacks,” and incidents involving “stolen credentials” have seen a “significant rise” in recent years, the complaint said. They are at a “present and continuous risk of fraud and identity theft for many years into the future,” it said.

The plaintiffs assert claims for themselves and the class of negligence and negligence per se, breach of implied contract and unjust enrichment. They seek injunctive relief, prohibiting UHG from the illegal actions alleged; awards of statutory damages, trebled, and punitive or exemplary damages; an order of disgorgement and restitution of all earnings, profits and benefits received by UHG as a result of those unlawful actions; litigation costs; and pre- and post-judgment interest.