The National Community Pharmacists Association (NCPA), in collaboration with dozens of other providers, has filed a class action lawsuit against UnitedHealth Group and subsidiaries Change Healthcare and Optum following a cyberattack that severely disrupted health-care industry operations.
NCPA filed the lawsuit in late July and said afterward in a news announcement, “In February, Change Healthcare was hit with a ransomware attack that brought payment and claims processing across the country to a halt. NCPA and the other plaintiffs say Change failed to take reasonable precautions against a catastrophic breach; [misled] them about its network security; and caused massive financial losses for health-care providers who were never reimbursed for services, and who incurred huge expenses trying to work around the downed system.”
Change Healthcare was handling 15 billion claims per year
NCPA noted in the announcement that Change Healthcare “handles medical billing for a huge chunk of the health-care industry,” while Optum is United Healthcare’s pharmacy benefits manager.
In May, the U.S. House of Representatives’ Energy & Commerce Committee, in explaining how the cyberattack happened and the fallout from it, said, “Change Healthcare is one of the largest health payment processing companies in the world. It acts as a clearing house for 15 billion medical claims each year — accounting for nearly 40 percent of all claims.
“The cyberattack that occurred in February knocked Change Healthcare — a subsidiary of the behemoth global health company UnitedHealth — offline, which created a backlog of unpaid claims.”
The Energy & Commerce Committee announcement added that the unpaid claims caused cashflow problems for many health-care providers, thus “threatening patients’ access to care.”
“The attack occurred because UnitedHealth wasn’t using multifactor authentication (MFA), which is an industry standard practice to secure one of their most critical systems,” the Committee announcement added.
Testifying before Congress in May, UnitedHealth Group CEO Andrew Witty estimated that one-third of the American population had their health information leaked to the dark web as part of the cyberattack, despite UnitedHealth paying a ransom of $22 million in Bitcoin to prevent that from happening.
‘Bigger is not better’
The NCPA has been vocal about the enormous cost of the cyberattack.
“UnitedHealth Group and its subsidiaries need to be held accountable for their lax security measures and for their failure to provide our members with adequate support and assurances to alleviate the financial losses our members suffered,” said NCPA CEO B. Douglas Hoey in the lawsuit announcement.
“NCPA was against UnitedHealth’s acquisition of Change from the start. This breach proves that bigger is not better and that consolidation often leads to inefficiencies. Companies are so big they cannot protect every entry point and cannot respond quickly due to internal bureaucracy. The fact issues remain unresolved is a testament to this point. This breach has cost our members a significant amount of money and time, and it is still not resolved months later.”
The organization also criticized how UnitedHealth Group reacted to the cyberattack.
“Not only did Change, Optum, and UnitedHealth fail to adequately protect data for millions of patients, but when they discovered the breach, they shut the entire system down without providing a workable alternative, leaving thousands of pharmacies without any way to process claims,” the announcement said.
“Because defendants disconnected the Change platform, many health-care providers lost their primary (and in some cases, their only) source of claims processing for their patients and did not receive payment,” the lawsuit said. “Health-care providers had to absorb these upfront costs.” Many pharmacies chose to purchase new software at their own expense in an attempt to keep operations going.
“Community pharmacies incurred the losses because they wouldn’t let their patients suffer,” Hoey said. “Senior citizens and people with chronic illnesses were especially vulnerable. They can’t afford to pay out of pocket for drugs that can cost thousands of dollars because a medical billing firm left itself vulnerable.
“It wouldn’t have been fair to patients, and it isn’t fair to leave pharmacies holding the bag.”