Lawsuits over Change Healthcare data breach centralized in Minnesota – ET CISO
https://etimg.etb2bimg.com/thumb/msid-110811060,imgsize-42686,width-1200,height=765,overlay-etciso/data-breaches/lawsuits-over-change-healthcare-data-breach-centralized-in-minnesota.jpg
A federal panel on Friday centralized 49 lawsuits accusing UnitedHealth Group’s Change Healthcare payment processing unit of failing to protect personal data from February’s cyber attack in Minnesota.
The federal Judicial Panel on Multidistrict Litigation said in an order on Friday that Minnesota, where UnitedHealth is based and where several cases are already pending, is the most logical venue. Of the lawsuits, 19 were brought on behalf of individual consumers whose data was allegedly compromised, and 30 by healthcare providers who say they were unable to get paid for their services when Change’s system was locked down after the attack.
Change processes about half of the medical claims in the United States. An American Hospital Association survey found that 94% of hospitals reported damage to their cash flow as a result of the attack.
The lawsuits accuse the company of negligence and are seeking damages to compensate providers for their losses and consumers for the cost of credit monitoring and potential identity theft.
Change had sought to have the cases centralized in Tennessee, where it is based. Some plaintiffs had proposed keeping consumer cases in Tennessee and provider cases in Minnesota, but the panel on Friday said the factual and legal issues would be largely the same for both kinds of cases.
The panel assigned the cases to U.S. District Judge Donovan Frank, a veteran judge appointed to the court in 1998.
Change and UnitedHealth did not immediately respond to requests for comment.
The attack is believed to have been carried out by the ransomware hacker group BlackCat. UnitedHealth disclosed the intrusion on Feb. 21 but did not indicate then how many people were affected.
Change said in an April court filing that the lawsuits are “based on the incorrect and unfounded theory that, because a cyberattack occurred, Change’s security must have been deficient, and plaintiffs must have been harmed.”