MINNEAPOLIS — Editor's note: The video above first aired on KARE 11 in February 2024.
Patients affected by a massive data breach at UnitedHealth Group (UHG) and its affiliated entities have filed a federal lawsuit seeking monetary damages for the exposure of personal, sensitive information.
According to the lawsuit filed against the health care conglomeration Tuesday in the U.S. District Court of Minnesota, UnitedHealth is accused of negligence, breach of implied contract, unjust enrichment, with plaintiffs seeking a declaratory judgment in the case. Court documents name Sandra Groom as the primary plaintiff "on behalf of all others similarly situated."
Those filings reveal Groom and the other defendants accuse UHG of neglecting to adhere to adequate measures meant to prevent such attacks, and that the company violated the Health Insurance Portability and Accountability Act (HIPAA) by not taking steps to ensure patients' information remained confidential.
The lawsuit claims the cyberattack group Blackcat was behind the February incident, gaining access to millions of patient names, addresses, Social Security numbers, medical records and insurance information through UHG subsidiary Change Healthcare. Change, a healthcare technology company, was acquired by UHG in October 2022 to manage revenue and payment cycles between patients and providers.
According to the lawsuit, SEC filings from Feb. 21 indicated a "suspected nation-state associated cyber threat actor" had accessed information through Change. About a week after the SEC filing went public, the lawsuit said Blackcat admitted it was behind the attack, revealing the breach had affected millions of Change Healthcare clients.
While the lawsuit said UHG took proactive steps to "isolate the affected systems," contact law enforcement and notify "customers, clients, and certain government agencies" about the breach, defendants said they're seeking damages over concerns their personal information is at risk of being stolen, compromised or sold to bad actors, and/or makes them vulnerable to potential "misdiagnoses or erroneous treatment" and "delays in care."
Further, court documents said the plaintiffs seek monetary relief to offset damages they've already endured, including "economic losses and other tangible harms."
The suit also seeks injunctive relief aimed at preventing similar data breaches, like implementing heightened security measures, annual security system audits and free monitoring services for those affected.
Change Healthcare, according to the suit, manages the equivalent of approximately one in three patient records in the U.S.
Also on Wednesday, the U.S. Department of Health and Human Services Office for Civil Rights announced it opened an investigation into the incident, penning a "Dear Colleague" letter calling the breach "unprecedented."
"Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules."
In response to the Minnesota lawsuit, a representative from UHG told KARE 11:
"We are focused on the investigation and recovery of Change Healthcare’s operations."
In response to the federal suit, UHG said:
"We will cooperate with the Office of Civil Rights (OCR) investigation. Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data."
While patients impacted by UHG's breach could not have prevented or deterred this particular attack, there are ways to keep yourself safe from data breaches online.
The United States Cybersecurity & Infrastructure Security Agency offers proactive tips to prevent and detect future cyber and ransomware attacks on your accounts. They include:
- Applying the latest security updates to devices
- Performing regular audits
- Using multi-factor authentication
- Thinking before you click
For more information about keeping yourself safe from malicious cyber thefts, attacks and scams, visit CISA's website.
WATCH MORE ON KARE 11+
Download the free KARE 11+ app for Roku, Fire TV, Apple TV and other smart TV platforms to watch more from KARE 11 anytime! The KARE 11+ app includes live streams of all of KARE 11's newscasts. You'll also find on-demand replays of newscasts; the latest from KARE 11 Investigates, Breaking the News and the Land of 10,000 Stories; exclusive programs like Verify and HeartThreads; and Minnesota sports talk from our partners at Locked On Minnesota.
- Add KARE 11+ on Roku here or by searching for KARE 11 in the Roku Channel Store.
- Add KARE 11+ on Fire TV here or by searching for KARE 11 in the Amazon App Store.
- Learn more about the KARE 11+ app for Apple TV in the Apple App Store.
- Learn more about KARE 11+ here.
Watch more local news:
Watch the latest local news from the Twin Cities and across Minnesota in our YouTube playlist: