Several pharmacy groups joined several healthcare providers in suing Change Healthcare over the March cyberattack on their system that left it vulnerable to cyberattacks. There is an allegation that some healthcare providers will still have to wait for delayed payments before they will be paid for their services.
There are over 19,000 pharmacies in the country and the National Community Pharmacist Association (NCPA) represents them.
Along with 30+ providers, the NCPA asserted that UnitedHealth Group, its subsidiaries Optum, and Change Healthcare could have been more proactive in preventing the cyberattack by implementing multi-factor authentication on the server that the hackers were able to gain access to.
According to the lawsuit filed by 39 healthcare providers and the National Community Pharmacists Association, they have not been able to recover financial damages from the Change Healthcare cyberattack that took place this year.
Plaintiffs have filed a class action lawsuit against UnitedHealth Group, Optum, and Change Healthcare, in response to the cyberattack that occurred this year at Change Healthcare.
In the wake of the February 21 cyberattack, Change retired from having to process claims payments for hospitals and physician practices, affecting the revenue of providers and creating financial instability that could lead to some practices filing for bankruptcy. An attack in February resulted in the theft of six terabytes of patient information, such as Social Security numbers and driver's license numbers.
Consequently, UnitedHealth Group implemented a solution to stop the change system from being accessed by new payers, which brought healthcare payments, claims processing, and other services to a halt.
Over the past two years, UnitedHealth Group has advanced over $3.3 billion in loans to providers and pharmacies who are finding it difficult to meet cash flow requirements amid delayed payments as a result of the attack. Even though some providers and pharmacies have been struggling to earn rent and pay staff salaries in the wake of providing essential services to patients and filling vital prescriptions, they have yet to receive reimbursement for them.
Additionally, it was reported that dozens of other healthcare providers and patients sued UnitedHealth Group in June, over issues related to the February security breach, in addition to the July lawsuit.
There have been major disruptions in the healthcare system since Change was breached in late February, resulting in payments to providers being delayed, refilling prescriptions not being fulfilled, prior authorization requests not being processed, and eligibility checks not being completed.
In late February, Change Healthcare was victimized by Alphv/BlackCat, a ransomware attack that was launched by Alphv/BlackCat and used to encrypt the files of the company. In the aftermath of the cyberattack, approximately one-third of the American population saw their personal information stolen and had to deal with the financial hardship that resulted. The UnitedHealth Group advanced billions of dollars to providers as a result of the cyberattack, but those organizations are reporting losses of revenue from unpaid claims and operational disruptions months after the incident.
A class action lawsuit has been filed against UnitedHealth Group and its subsidiaries, Change Healthcare and Optum, alleging that they failed to take reasonable precautions to prevent the breach of confidential information on July 19, 2024, before it was filed in the United States District Court for the District of Minnesota.
Furthermore, the plaintiffs complained that Change Healthcare had misled customers about the security posture of their network and failed to provide customers with a reasonable workaround after the company shut down the Change Healthcare platform as a result of the disruption ensuing.
They argued that UnitedHealth's acquisition of the healthcare company Change in 2022 created an "eventual single point of failure" within the U.S. health system as a result of its reliance on Change. In addition, they allege that the technology company and the large claims processor did not have reasonable cybersecurity measures in place.
It was revealed in May that UnitedHealth CEO Andrew Witty testified before Congress that the Change portal used by the hackers was not using multifactor authentication, which required a second method for verifying a user's identity beyond just a password to prevent breaches of security.
The cyberattack on Change Healthcare has raised significant concerns, potentially compromising sensitive data from a substantial portion of the U.S. population. UnitedHealth CEO Andrew Witty, in his Congressional testimony, estimated that the personal and health information of nearly one-third of Americans might be at risk.
Providers and pharmacists have expressed dissatisfaction, arguing that Change Healthcare has failed to provide "adequate guidance" regarding the breach. They are uncertain whether they need to notify their patients about the potential compromise of their personal and health data.
In response, Change Healthcare announced that it began sending notification letters to its customers last month and plans to contact affected individuals directly by late July. UnitedHealth did not provide a comment before the publication deadline.
Following the discovery of the attack, Change Healthcare, a subsidiary of UnitedHealth Group’s Optum, took its healthcare electronic data interchange system offline. This action disrupted the claims payment system relied upon by most hospitals and numerous physician practices nationwide, significantly affecting provider revenue.
The American Medical Association (AMA) reported that the cyberattack financially impacted 94% of hospitals, with over three-quarters of physician practices experiencing "severe disruptions."
In response to these disruptions, the Centers for Medicare and Medicaid Services (CMS) initiated accelerated and advanced payments in early March to mitigate cash flow issues for hospitals, physicians, and pharmacists. Since the program’s inception, CMS has issued over $2.55 billion in accelerated payments to more than 4,200 Part A hospital providers.
Additionally, over 4,722 advance payments, totaling more than $717.18 million, have been made to Part B suppliers, which include doctors, non-physician practitioners, and durable medical equipment suppliers. CMS will cease accepting new applications for accelerated or advance payments for the Comprehensive Hospital and Outpatient Payment Demonstration (CHOPD) after July 12.
Change Healthcare has consistently provided updates as it works to restore its systems.
The attack was identified as a ransomware incident, and UnitedHealth CEO Andrew Witty decided to pay a $22 million ransom in Bitcoin to safeguard patient information.
According to CMS, service providers and suppliers have resumed successful billing of Medicare. The ongoing efforts to resolve the aftermath of the cyberattack highlight the importance of robust cybersecurity measures and transparent communication during such incidents.