©Reuters. File photo: UnitedHealth Group’s corporate logo is displayed on the side of the company’s office building in Santa Ana, Calif., April 13, 2020.REUTERS/Mike Blake/File Photo
brendan pearson
(Reuters) – UnitedHealth Group (NYSE:) has already faced at least six charges for failing to protect the personal data of millions of people from last month’s hack of its payment processing unit Change Healthcare (NASDAQ:). is facing a class action lawsuit. More lawsuits are likely.
In a motion filed in Washington, D.C., late Tuesday, plaintiffs’ lawyers asked the U.S. Judiciary to consolidate six lawsuits in federal court in Nashville, Tennessee, where Change is headquartered, and to order more. He said he expected a lawsuit would be filed.
It’s not clear how much information was compromised in the attack, carried out by the ransomware hacker group BlackCat, so it’s unclear how large the lawsuit will be.
UnitedHealth disclosed the attack on February 21 without disclosing the number of people affected, but said in a statement Wednesday that it is focused on restoring Change’s operations.
UnitedHealth has not said whether Black Cat demanded a ransom, but postings on online forums used by hackers suggest the company paid hackers $22 million to regain access to locked systems. He claims to have paid.
Under the U.S. health care privacy law, the Health Insurance Portability and Accountability Act (HIPAA), companies have 60 days after discovering a data breach to notify affected individuals that their personal information has been compromised. It is given to be informed.
For breaches that affect more than 500 people, the company must notify federal regulators and prominent media outlets. UnitedHealth has so far made no such notification.
Approximately 50% of medical claims are modified for approximately 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories in the United States.
The attack shut down Change’s operations and left providers such as large hospital systems, small medical practices, and pharmacies unable to collect payments. Change plans to resume processing payments by March 15, according to UnitedHealth’s website.
Both lawsuits allege that Change has failed to protect patients’ personal information, putting them at risk of identity theft and privacy violations. Others argue that patients are unable to fill prescriptions because their insurance claims cannot be processed, putting their health at risk.
The plaintiffs allege that the information Change has stored and is now at risk includes medical records, payment information, names, Social Security numbers, and more. One of the lawsuits states that “information from the data breach is on the dark web and is already available for sale,” but no details are disclosed to support that claim.
The lawsuit accuses the company of negligence and violating privacy requirements of HIPAA and various state laws.
Four of the lawsuits are filed against Change in Nashville, and two are filed against UnitedHealth in Minnesota, where the parent company is based.
Tuesday’s motion was filed by attorneys in the Nashville case. Lawyers in the Minnesota case could file a competing motion to have the case transferred to their home court, in which case the U.S. Judicial Panel on Multidistrict Litigation would decide where the lawyers should be sent.
