Healthcare , Industry Specific , Legislation & Litigation

Cash-Strapped Women's Clinic Sues UnitedHealth Over Attack

Lawsuit Claims Change Healthcare Outage Is Pushing Clinic, Others Into Bankruptcy
Cash-Strapped Women's Clinic Sues UnitedHealth Over Attack
Image: Advanced Obstetrics & Gynecology PC
Image: Advanced Obstetrics & Gynecology PC

A Mississippi women's healthcare practice has filed what appears to be the first proposed class action lawsuit so far against UnitedHealth Group that alleges the that disruption in claims processing caused by the cyberattack on the company's Change Healthcare unit and ongoing IT outage is threatening to push the clinic and other providers into bankruptcy.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

Albany, Mississippi-based Advanced Obstetrics & Gynecology PC filed the complaint on March 14 on behalf of the practice and "all medical providers within the U.S. who have suffered delays in processing claims and revenue cycle services" from the cyberattack disclosed by UnitedHealth Group on Feb. 21 (see: The Next Big Bombs to Drop in the Change Healthcare Fiasco).

"As a result of Change's failures, medical providers including plaintiff and class members have been unable to receive payment for their services. As many class members, including plaintiff, have limited liquidity, this disruption threatens to bankrupt hundreds if not thousands of care providers, if it hasn't done so already," the Advanced Obstetrics lawsuit alleges.

Optum, a unit of UnitedHealth Group that acquired Change Healthcare in 2022, has said on its website that Change Healthcare processes 15 billion healthcare transactions annually and that its clinical connectivity solutions touch 1 in 3 patient records in the U.S. (see: The Widespread Effect of the Change Healthcare Mega Hack).

"Given that it is a company in which half of America's medical payments flow, Change needs to maintain the utmost security of its systems," the Advanced Obstetrics lawsuit alleges. "As a sophisticated business entity, making promises that its systems were safe and secure, Change knew it needed to adequately protect those systems. It failed to do so," the complaint alleges.

"Many medical providers, like Advanced, are forced to rely on prompt payment of claims in order to keep their businesses alive."

Advanced, over the past two years, has received approximately $39,000 in paid claims every week, "meaning what Advanced receives weekly from insurance companies to settle the practice's bills for service," the lawsuit alleges.

"Advanced is unable to secure this payment due to Change's system lockout, and thus has been denied approximately $132,700 as of March 14, a figure that will continue to rise day every day. Had Change adequately secured its systems this large amount would have been timely paid, as plaintiff had every reason to expect."

Advanced Obstetrics' lawsuit alleges Change Healthcare did not use reasonable security procedures and practices suited to the sensitive information it was maintaining. "Worse, it compounded the attack by disconnecting all of its services, even though reports indicate that only certain systems were affected. By disconnecting all services, Change guaranteed that no medical providers could be paid for their services."

While at least a dozen other proposed federal class action lawsuits have been filed against UnitedHealth Group in recent days and weeks in the wake of the cyberattack, the other complaints so far were filed by individuals who allege their sensitive information is in the hands of cybercriminals because of the company's failure to secure their data.

Threat actors claiming to be BlackCat have taken credit for the attack, and UnitedHealth Group confirmed earlier this month that the Russian-speaking ransomware group, which also goes by Alphv, was to blame. BlackCat claimed on the dark web that it exfiltrated 6 terabytes of "highly selective data" from Change Healthcare pertaining to "all" of the company's clients (see: BlackCat Ransomware Group Seizure Appears to Be Exit Scam).

UnitedHealth Group has maintained that its investigation into the attack so far has found that the incident was limited to Change Healthcare's IT systems and that the attack affected no other UnitedHealth Group or United Healthcare IT systems.

Restoration Update

In a statement Monday, UnitedHealth Group said that Change Healthcare in the next several days will begin to release to thousands of customers medical claims preparation software - "an important step in the resumption of services."

The company said it also expects to have third-party attestations available prior to services becoming operational. Following this initial phase, remaining service restoration will continue through ongoing phases of activation until all customers have been connected, the company said.

"We continue to make significant progress in restoring the services impacted by this cyberattack," said Andrew Witty, CEO of UnitedHealth Group. "We know this has been an enormous challenge for healthcare providers."

On March 15, the company restored Change Healthcare's electronic payments platform and is proceeding with payer implementations, UnitedHealth Group said. On March 7, the company restored 99% of Change Healthcare pharmacy network services, and it continues to work on remaining issues.

"To assist care providers whose finances have been disrupted by the cyberattack, the company has advanced more than $2 billion thus far through multiple initiatives," the company said. Optum began to offer limited short-term financial assistance to certain providers earlier this month, and the U.S. Department of Health and Human Services has taken several regulatory measures to help ease the pressure on some affected entities. They include making advanced or accelerated payments to some Medicare providers.

Attorneys representing Advanced Obstetrics in the lawsuit against UnitedHealth Group did not immediately respond to Information Security Media Group's request for further comment on the litigation.

HHS' Office for Civil Rights last week said it had launched an investigation into UnitedHealth Group to determine whether a breach of protected health information occurred in the Change Healthcare attack and whether the company violated the HIPAA Rules (see: Feds Launch Investigation Into Change Healthcare Attack).

A UnitedHealth Group spokesman in a statement to ISMG on Monday said the company will cooperate with the HHS OCR investigation. "Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data," the statement said.

As for ISMG's request for comment on the multiple lawsuits UnitedHealth Group faces, including the complaint by Advanced Obstetrics, the company spokesman reiterated, "We are focused on the investigation and recovery of Change Healthcare's operations.”

'Tangled Web'

Attorney Paul Hales of the Hales Law Group, which is not involved in the UnitedHealth Group litigation, said he expects additional Change Healthcare customers to sue to recover the kinds of losses alleged by Advanced in its lawsuit.

"Change Healthcare provides a range of services to an enormous number of customers in a tangled, intertwined web of contracts," he said.

"Businesses and individuals will continue to sue Change and its corporate parents. Individuals who entrusted their information to Change customers will sue everyone. The cost of discovery will be massive. We are seeing the start of a legal free-for-all," Hales said.

"The Change Healthcare cyberattack combines terrifying facts with fascinating legal issues."

Attorney Peter Halprin of the law firm Haynes Boone, which is not involved in the UnitedHealth Group cases, said the disruption caused by the Change Healthcare attack also underscores the importance of business interruption insurance.

This type of coverage refers to "insurance that reimburses lost profits and expenses resulting from an interruption of business at the premises of a customer or supplier," he said.

"In the cyber context, contingent business interruption insurance can cover service-provider outages."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.