UnitedHealth gave hackers easy access to Change data, new lawsuit claims
A group of 65 plaintiffs are suing UnitedHealth Group, claiming that “massive security failures” led to the 2024 Change Healthcare data breach.
Optum, Inc. and Change are also named as defendants in the class-action lawsuit filed last week in U.S District Court for the District of Minnesota. Change announced last week that its review of the impacted data is "substantially complete."
“Had Defendants employed basic, long-established, and recommended security tools, the Data Breach should have been easily thwarted,” the lawsuit states. However, Change Healthcare’s remote access portal “did not have multi-factor authentication.”
As a result, hackers “had virtually no roadblocks in gaining access to the large quantities of Personal Information,” the lawsuit claims.
“We believe this lawsuit is baseless and we intend to defend ourselves vigorously,” a spokesperson for Optum said. A subsidiary of UnitedHealth Group, Optum functions as the health services and innovation arm of the company.
The 365-page includes extensive summaries of the impact on each of the plaintiffs, with repeated instances of fraudulent activity, hours spent on the phone with credit agencies and a significant increase in spam emails and scam attempts.
Plaintiffs come from all regions of the United States, including Hawaii and Alaska. Only one plaintiff is unnamed, a Chicago man who is HIV positive, and “deeply concerned about the release of this information against his consent and is particularly worried about the potential impact on his employment prospects and his relationships in his community,” the lawsuit states.
Plaintiffs are asking for compensatory and other damages, and for UnitedHealth to pay for a minimum of five years of credit-monitoring services for the entire class.
“Both before and after the Data Breach, Defendants repeatedly put their interests above those of the impacted patients,” the lawsuit says. “However, Defendants owed duties to Plaintiffs and Class members to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard their Personal Information against unauthorized access and disclosure.”
Massive data breach
On Feb. 11, 2024, an affiliate of the BlackCat/ALPHV ransomware group gained access to the Change Healthcare network, and spent nine days inside the network stealing data before they used ransomware to encrypt files.
Change paid a $22 million ransom in bitcoin to prevent the publication of the stolen data. The ransomware group, however, reneged on the deal with Change to destroy the stolen data files, and retained the stolen data. The personal, health, and financial information of an estimated 100 million individuals was stolen in the attack.
Another ransomware group, RansomHub, confirmed that it possessed four terabytes of stolen data from the Change data breach and posted screenshots of the data on its dark web ransomware site, the lawsuit says.
“The hackers continue to attempt to extort Defendants out of additional ransom payments,” the lawsuit says. “Now that Defendants have recovered their own copies of the data allowing them to continue to monetize it, however, they appear less eager to pay any further ransom.”
UnitedHealth had more than 152 million customers at the time of the Feb. 17-20 data breach, which means about 45% of Americans have been affected. Multiple lawsuits have been filed against Change Healthcare, Optum Inc., and UnitedHealth Group, including one by the state of Nebraska.
During a conference call earlier this month, UnitedHealth Group executives cited the ransomware attack as a costly drain on revenues. The total cost of the response is now predicted to be between $2.3 billion and $2.45 billion, The HIPPA Journal recently reported.
The 65 plaintiffs fault UnitedHealth for paying the ransom, saying it “did nothing” to benefit affected victims.
“Defendants’ decision to pay a ransom runs counter to law enforcement’s recommendations, as nothing requires the hackers to keep their word that they will destroy the data after payment—and they often do not.”
Shareholder lawsuit
UnitedHealth is dealing with unhappy shareholders as well. The City of Hollywood Firefighters’ Pension Fund is the lead plaintiff in a class-action lawsuit claiming that UnitedHealth executives hid the notice of a Department of Justice investigation.
On Oct. 10, 2023, UnitedHealth received notice that the DOJ had launched a “non-public antitrust investigation into the company,” the lawsuit states.
“Concealing this material information from investors and the public, UnitedHealth chairman Stephen J. Hemsley and several other senior executives immediately took action – selling more than $100 million of their UnitedHealth stock at artificially inflated prices as the market and other investors remained unaware of the new federal antitrust investigation,” the lawsuit claims.
When the Wall Street Journal exposed the investigation in a Feb. 27, 2024 article, the price of UnitedHealth stock declined over $27 per share, falling from $525.32 per share on Feb. 26, 2024 to $498.28 on Feb. 28, 2024, the lawsuit notes.
© Entire contents copyright 2025 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.
InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.




Is technophobia costing RIAs millions in passive SEO leads?
BetterLife, CSA merger brings organizations with Czech-Slovak roots together
Advisor News
- The overlooked retirement security risk that must be addressed
- What advisors should know about hedge funds in retirement planning
- Retirement control is top success measure for middle class, ACLI says
- Industry groups applaud House passage of Financial Exploitation Prevention Act
- Younger workers more likely to be eligible for a retirement plan after changing jobs
More Advisor NewsAnnuity News
- Malibu Life Holdings Completes Acquisition of TruSpire, Establishing Malibu USA and Accelerating Entry into the U.S. Retail Annuity Market
- Why job boards are failing insurance agencies
- MassMutual Ranks No. 100 on the 2026 Fortune 500® List
- What’s fueling record annuity growth?
- Jackson Named InvestmentNews 2026 Annuities Provider of the Year
More Annuity NewsHealth/Employee Benefits News
- Reports from Capital One AG Describe Recent Advances in Managed Care (Factors Affecting Medical Appointment Adherence among Adolescents and Young Adults with Kidney Disease: A Longitudinal Cohort Study): Managed Care
- Studies from University of Alabama Further Understanding of Neurology (Understanding stroke caregiving in rural contexts: a qualitative study of family caregivers’ cultural values, coping behaviors, and technology use): Health and Medicine – Neurology
- New state law will create more transparency of dental insurance benefits
- Rob Sand pledges to reverse Iowa Medicaid privatization
- Millions drop ACA coverage amid price jump
More Health/Employee Benefits NewsLife Insurance News
- NAIFA praises House committee approval of Clarity for Compensation Act
- PHL Variable liquidation pushed out to 2027, Connecticut regulators say
- ‘Recession-Proof’ Insurance Is Trending. Safety Net or Scam?
- Winged Keel Group Expands National Presence and PPLI Leadership, Welcomes SBSI, Inc. (dba NFP Insurance Solutions)
- MassMutual Ranks No. 100 on the 2026 Fortune 500® List
More Life Insurance News