Change Healthcare Faces Lawsuit While Personal Touch Holding Corp Settles Lawsuit

Multiple Class Action Lawsuits Against Change Healthcare Due to Ransomware Attack

On February 21, 2024, Change Healthcare encountered a Blackcat ransomware attack and has not yet recuperated from the incident, with all systems still not accessible online two weeks after the ransomware attack. The Blackcat ransomware gang professed to have stolen 6TB of information before file encryption and the affiliate responsible for the attack stated that Optum paid a $22 million ransom to get the stolen files and decryption keys. The affiliate states that Blackcat group stole the money and did not pay. Blackcat said the authorities seized its operation, and the affiliate continues to have the stolen 6TB of data. Change Healthcare, Optum, or their parent company, UnitedHealth Group, have not affirmed the scope of any data breach nor the payment of a ransom. They only reported that they are concentrating on the investigation and getting their systems working again online.

Considering the track record of the Blackcat group, the stolen information probably contains a substantial amount of patient information, and with Change Healthcare handling about 15 billion healthcare transactions annually involving the PHI of 1 in 3 U.S. citizens, the data breach will likely be huge. Change Healthcare has not confirmed a data breach yet, so breach notifications will not be mailed soon. Nevertheless, many individuals are filing lawsuits already in association with the theft of their protected health information (PHI) in the attack.

About 5 class action lawsuits were filed in Tennessee and Minnesota regarding the Change Healthcare data breach. More lawsuits are expected over the coming days and weeks. One lawsuit was filed in Minnesota federal court for Nicolas Keriazis, a resident in California, and individuals in similar situations whose PHI were allegedly accessed, cloned, and exfiltrated by the Blackcat ransomware group from servers owned by UHG. The defendants of the lawsuit are United Health Group Incorporated, Optum Inc., UnitedHealthcare Inc., and Change Healthcare Inc. (UHG).

Keriazis gets his prescription medications at a California CVS pharmacy that uses Change Healthcare systems and states that the stolen information consists of “health records, dental records, payment details, claims data, patients’ data (like addresses, telephone numbers, Social Security numbers, email addresses, etc.), insurance documents, and more. The lawsuit states the data breach was avoidable, and was a result of UHG’s lack of cybersecurity practices and guidelines falling short of the required industry standards. Also, UHG should have known the increased risk of an attack with the joint cybersecurity alert released by a few government agencies concerning an impending and increased risk of cyberattacks on healthcare companies and hospitals. There was advice to take immediate precautions to secure their systems from cyberattacks. The lawsuit claims that UHG violated HIPAA, did not follow Federal Trade Commission (FTC) advice, and committed practices that are forbidden by FTC Act Section 5.

Because of the data breach, Keriazis, and class members didn’t benefit from their deal with UHG and currently have a substantial risk of healthcare-related theft, financial scams, and other identity-related fraudulence. The lawsuit claims breach of third-party beneficiary contract, negligence, negligence per se, and unjust enrichment. The plaintiff wants statutory damages, compensatory, general, and consequential damages, and trebled, and/or punitive or exemplary damages, to the extent allowed by law. The lawsuit likewise wants a court order of disgorgement and return of all earnings, profits, compensation, and benefits acquired by UHG because of their omissions, illegal acts, and practices, and injunctive relief, which includes a court order for UHG to put in place a variety of cybersecurity measures to stop more cyberattacks and data breaches.

The following lawsuits make identical claims of negligent misrepresentation, violation of the Minnesota Consumer Protection Statute on Deceptive Trade Practices, and breach of implied contract.

  • Robert Reese v. Change Healthcare Inc. filed in the U.S. District Court for the Middle District of Tennessee
  • Robert Mackey v. United Health Group Incorporated; UnitedHealthcare Inc. United Health Group Incorporated, UnitedHealthcare Inc., Optum Inc., and Change Healthcare Inc. filed in the U.S. District Court, District of Minnesota.

Resolved Class Action Data Breach Lawsuit Against Personal Touch Holding Corp

Personal Touch Holding Corp. has gotten preliminary approval for a negotiation to resolve a class action lawsuit that was filed after a ransomware attack and data breach in January 2021 that impacted 753,107 individuals. This home health services provider in Lake Success, NY manages approximately 30 Personal Touch Home Care centers in some U.S. states. In January 2021, a ransomware gang accessed business documents saved in the cloud and the records of 29 of its subsidiaries. Preliminary access was obtained following a worker’s response to a phishing email that resulted in the download of malware.

Persons who had in the past acquired services from Personal Touch or its centers had their names, addresses, phone numbers, birth dates, and financial data, which include credit card numbers, check copies, bank account details, Social Security numbers, medical treatment data, medical insurance card, medical record numbers, and health plan benefit numbers breached in the attack.

The Everetts v. Personal Touch Holding Corp. class action lawsuit was submitted in the U.S. District Court for the Eastern District of New York alleging Personal Touch did not employ acceptable and suitable cybersecurity steps before the attack. If those procedures were used the ransomware attack might have been averted. Personal Touch decided to resolve the lawsuit without acknowledging liability or wrongdoing.

As per the conditions of the settlement, class members who received notification regarding the breach from Personal Touch on or about March 24, 2021, whose protected health information (PHI) or personally identifiable information (PII) was not likely exposed can file a claim for around $125 to pay for out-of-pocket expenditures linked to the data breach, including communication charges, credit monitoring expenses, and other expenditures sustained after January 20, 2021, associated with the breach.

Individuals who got a Personal Touch notification on or around March 24, 2021, telling them that their PHI or PII was compromised in the data breach can file claims of about $7,500 for refund of recorded out-of-pocket costs and damages caused by identity theft and fraud, which include lost time about three hours at $25 an hour. The settlement likewise consists of two years of Identity Defense Total Service for people whose PHI and/or PII were likely compromised in the data breach.

Claims ought to be filed by May 21, 2024, and the due date for disagreeing with the settlement or asking to not be included is May 21, 2024. People who did nothing will not be compensated and will lose their rights relating to the breach. The settlement has obtained the first acceptance from the court. The date of the final settlement hearing will be on July 22, 2024.

In October 2023, New York Attorney General Letitia James reported the settlement amount of $350,000 with Personal Touch to settle allegations of HIPAA and state rules violations in connection with data security. Personal Touch should have known the security issues yet did not deal with them in an acceptable time, only had a simple security system and hadn’t provided enough HIPAA training to workers.


Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X