Change Healthcare cyberattack: Lawsuits emerge, and more are coming

The Change Healthcare cyberattack has caused financial problems for hospitals, medical groups and physician practices across the country, so it’s safe to expect a wave of legal action.

Sean Zabaneh of Duane Morris and Jolene Calla of the Hospital + Healthcare Association of Pennsylvania talk about the Change Healthcare cyberattack at the HAP Leadership Summit.

To date, 24 class actions lawsuits have already been filed, according to a court filing by Change Healthcare this week, Reuters reported.

Some plaintiffs have asked for the suits to be adjudicated in Nashville, Tenn., where Change Healthcare is based. In a court filing, Change Healthcare also sought to have class actions consolidated in a federal court in Nashville.

In a legal filing, plaintiffs said Change Healthcare failed to protect the private health information of consumers and they could be at risk of identity theft. The plaintiffs said in the filing they also expect “additional class actions will soon commence in other federal courts.”

Legal experts discussed the Change Healthcare cyberattack at the Hospital + Healthsystem Association of Pennsylvania Leadership Summit this week.

During a discussion on the impact of the cyberattack, Sean Zabaneh, a partner with Duane Morris, said he expects, “lots of lawsuits, lots of litigation and lots of complicated legal issues.”

More providers are likely to file suits for negligence, and patients also could pursue litigation based on the breaches of their private health information, he said.

Suits could take years

Of the 24 lawsuits mentioned in the Change Healthcare court filing, 13 were filed by individuals and 11 were submitted by providers, the company said.

Change Healthcare processes claims, prescription, billing and other services for hospitals and healthcare providers. With hospitals being unable to file claims, many have suffered losses due to the interruption of cash flow.

Healthcare providers are likely to file suits due to the financial impact on their businesses, including delays in providing care, Zabaneh said. In Change Healthcare's court filing, the company said providers pointed to the delay in receiving insurance payments.

Hospitals have said the delays in securing insurance approvals for treatments has affected patient care. About three-quarters of hospitals (74%) have said patient care has been affected by the cyberattack, according to a survey from the American Hospital Association. And 94% of hospitals said they’re finances have been affected, the survey said.

• Read more: How cyberattacks threaten patient safety

UnitedHealth Group, Change Healthcare’s parent company, has established a fund to help providers deal with the financial difficulties. As of Thursday, UnitedHealth has distributed more than $4.7 billion in payments to providers. The company says it will continue to offer assistance to providers until there is a full system recovery.

In its court filing this week, Change Healthcare said, "Change has worked tirelessly over the last six weeks to restore systems and services to support individuals, customers, and other providers."

Lawsuits may provide some financial relief, but providers shouldn’t expect a quick payday from litigation, said Jolene Calla, vice president of finance and legal affairs for the Hospital + Healthsystem Association of Pennsylvania.

“If you're looking for a lawsuit and a quick recovery, that's really not in the cards. That's not going to be the answer for people,” Calla said during the leadership summit.

The suits related to the cyberattack could take years to work through the legal system, especially given the complexity of the issue, including the questions surrounding whether Change maintained sufficient protections.

“Typically, these things take years,” Zabaneh said.

“It depends on the provider and depends on the type of case,” he said, adding, “Litigation is never a fast answer.”

In its court filing, Change Healthcare said the suits are based on "the incorrect and unfounded theory" that the breach occurred due to deficiencies in the company's security.

The U.S. Department of Health & Human Services, through its Office of Civil Rights, has launched an investigation of Change Healthcare and UnitedHealth Group. Citing the “unprecedented magnitude” of the cyberattack, federal officials say they are looking to determine if Change Healthcare or UnitedHealth Group violated the Health Insurance Portability and Accountability Act.

UnitedHealth said the "Blackcat" ransomware gang is behind the cyberattack. The ransomware group has been known to target the healthcare sector, federal authorities say.

In its court filing seeking to consolidate cases in Nashville, Change Healthcare pointed to "the inefficiency, expense, and risk of inconsistent rulings that would result from separate litigation of substantially similar cases across the country."

'Prepare for the future'

Hospitals and health systems should review their business associate agreements to understand their rights and obligations, Zabaneh said.

Hospitals should also review their cyber insurance policies. Health systems should brace for the possibility of higher premiums for cyber insurance following the Change Healthcare attack, he said.

If they haven’t already, hospitals should also consider business interruption insurance, which can offset losses if operations are disrupted, Zabaneh said.

Cybersecurity experts have suggested hospitals consult their vendors to be sure they have sufficient protections for data privacy. Rick Pollack, president & CEO of the American Hospital Association, told the Pennsylvania conference that the Change Healthcare attack illustrates that hospitals are at risk from breaches from third parties.

As hospitals rely so heavily on partnerships with third parties who have access to their systems, Calla said organizations must have an inventory of all of those connections.

“Every connection that you have that goes outside of your system is a potential target and risk,” she said.

Calla urged hospital leaders to take a close look at their cybersecurity protections to ensure their organizations are as secure as possible.

“Now is the time to really plan and prepare for the future,” Calla said. “We know what happened. We can’t change history. But from here on out, you can really tighten up things.”

And that includes being prepared for other cyberattacks in the future, experts advise.

“I think one thing you want to think about certainly, in addition to this situation, is preparing for future attacks,” Zabaneh said. “I mean, if nothing else, this should be a wake-up call to everybody.”