UnitedHealth gave hackers easy access to Change data, new lawsuit claims

A group of 65 plaintiffs say they have suffered since the Change Healthcare data breach one year ago.

By John Hilton

A group of 65 plaintiffs are suing UnitedHealth Group, claiming that “massive security failures” led to the 2024 Change Healthcare data breach.

Optum, Inc. and Change are also named as defendants in the class-action lawsuit filed last week in U.S District Court for the District of Minnesota. Change announced last week that its review of the impacted data is "substantially complete."

“Had Defendants employed basic, long-established, and recommended security tools, the Data Breach should have been easily thwarted,” the lawsuit states. However, Change Healthcare’s remote access portal “did not have multi-factor authentication.”

As a result, hackers “had virtually no roadblocks in gaining access to the large quantities of Personal Information,” the lawsuit claims.

“We believe this lawsuit is baseless and we intend to defend ourselves vigorously,” a spokesperson for Optum said. A subsidiary of UnitedHealth Group, Optum functions as the health services and innovation arm of the company.

The 365-page includes extensive summaries of the impact on each of the plaintiffs, with repeated instances of fraudulent activity, hours spent on the phone with credit agencies and a significant increase in spam emails and scam attempts.

Plaintiffs come from all regions of the United States, including Hawaii and Alaska. Only one plaintiff is unnamed, a Chicago man who is HIV positive, and “deeply concerned about the release of this information against his consent and is particularly worried about the potential impact on his employment prospects and his relationships in his community,” the lawsuit states.

Plaintiffs are asking for compensatory and other damages, and for UnitedHealth to pay for a minimum of five years of credit-monitoring services for the entire class.

“Both before and after the Data Breach, Defendants repeatedly put their interests above those of the impacted patients,” the lawsuit says. “However, Defendants owed duties to Plaintiffs and Class members to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard their Personal Information against unauthorized access and disclosure.”

Massive data breach

On Feb. 11, 2024, an affiliate of the BlackCat/ALPHV ransomware group gained access to the Change Healthcare network, and spent nine days inside the network stealing data before they used ransomware to encrypt files.

Change paid a $22 million ransom in bitcoin to prevent the publication of the stolen data. The ransomware group, however, reneged on the deal with Change to destroy the stolen data files, and retained the stolen data. The personal, health, and financial information of an estimated 100 million individuals was stolen in the attack.

Another ransomware group, RansomHub, confirmed that it possessed four terabytes of stolen data from the Change data breach and posted screenshots of the data on its dark web ransomware site, the lawsuit says.

“The hackers continue to attempt to extort Defendants out of additional ransom payments,” the lawsuit says. “Now that Defendants have recovered their own copies of the data allowing them to continue to monetize it, however, they appear less eager to pay any further ransom.”

UnitedHealth had more than 152 million customers at the time of the Feb. 17-20 data breach, which means about 45% of Americans have been affected. Multiple lawsuits have been filed against Change Healthcare, Optum Inc., and UnitedHealth Group, including one by the state of Nebraska.

During a conference call earlier this month, UnitedHealth Group executives cited the ransomware attack as a costly drain on revenues. The total cost of the response is now predicted to be between $2.3 billion and $2.45 billion, The HIPPA Journal recently reported.

The 65 plaintiffs fault UnitedHealth for paying the ransom, saying it “did nothing” to benefit affected victims.

“Defendants’ decision to pay a ransom runs counter to law enforcement’s recommendations, as nothing requires the hackers to keep their word that they will destroy the data after payment—and they often do not.”

Shareholder lawsuit

UnitedHealth is dealing with unhappy shareholders as well. The City of Hollywood Firefighters’ Pension Fund is the lead plaintiff in a class-action lawsuit claiming that UnitedHealth executives hid the notice of a Department of Justice investigation.

On Oct. 10, 2023, UnitedHealth received notice that the DOJ had launched a “non-public antitrust investigation into the company,” the lawsuit states.

“Concealing this material information from investors and the public, UnitedHealth chairman Stephen J. Hemsley and several other senior executives immediately took action – selling more than $100 million of their UnitedHealth stock at artificially inflated prices as the market and other investors remained unaware of the new federal antitrust investigation,” the lawsuit claims.

When the Wall Street Journal exposed the investigation in a Feb. 27, 2024 article, the price of UnitedHealth stock declined over $27 per share, falling from $525.32 per share on Feb. 26, 2024 to $498.28 on Feb. 28, 2024, the lawsuit notes.

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.