Mar 6, 2024 - Health

Health care cyberattack spawns threat of patient lawsuits

Illustration of the Change Healthcare logo holding a balance bar and trays of a scale.

Illustration: Gabriella Turrisi/Axios

The cyber attack on Change Healthcare that's reverberated across the medical system is now spawning threats of litigation from patients.

Why it matters: Patients left scrambling to determine if insurance will cover drugs or treatments could seek damages from the UnitedHealth Group subsidiary, whose stricken payment network is a mainstay of hospitals, pharmacies and physician offices and processes 15 billion transactions annually.

Driving the news: Gibbs Law Group is thought to be the first to test the waters, by seeking out patients who were forced to pay out of pocket for prescriptions or delay their refills.

  • "Some of these medications cost thousands of dollars," Rosemary Rivas, a partner at Gibbs, told Axios.
  • Gibbs' website states that it's seeking "money back for patients who were unexpectedly forced to pay for expensive medications due to this cyberattack."
  • The firm said it's also representing individuals impacted by other data breaches, including those against Caesars and MGM, which are believed to have been carried out by the same cybercriminal group behind the Change attack.

Between the lines: Patients in Medicare Part D plans are among those who face a greater risk of having their care result in unexpected bills, said Kathy Oubre, CEO of Pontchartrain Cancer Center in Louisiana.

  • "Our patients have called us and said, 'My pharmacy won't fill my prescription. What do I do?'" she said.
  • The cancer center has been dispensing many of those drugs but is taking a risk with Part D beneficiaries because the entire benefits verification process remains down, she said.
  • "You have zero line of sight. You have no idea if they are still eligible. You have no idea what their copay looks like. You're just kind of flying blind," she said.

What to watch: This is likely just the start of a litigation bonanza, Ryan Higgins, a partner at McDermott Will & Emery, told Axios.

  • It's not unusual for firms to solicit prospective plaintiffs in data breaches, but details about what was compromised and just how many are affected are still likely weeks away.
  • "This story is far from over," he said.

The latest: The Department of Health and Human Services on Tuesday said it would help float providers that are reporting cash flow issues tied to the ongoing outage.

  • The department is encouraging health plans to relax pre-approval requirements that might be blocking patients' ability to get care when providers can't use the Change Healthcare system to verify coverage.
  • It's also pressing Medicare contractors to make it faster for providers to switch companies that process their claims — and is offering more flexible filing rules.
  • The response was panned by American Hospital Association CEO Rick Pollack.
  • "The magnitude of this moment deserves the same level of urgency and leadership our government has deployed to any national event of this scale before it," he said in a statement. "The measures announced today do not do that and are not an adequate whole of government response."

What's next: Rivas said Gibbs is keeping its investigation broad, encouraging anyone who believes they've been harmed — including providers — to contact the firm.

  • "This is something that shouldn't have happened, especially with a company that's so big and so profitable," Gibbs said. "They should really be spending the requisite money to ensure they have reasonable security."
Go deeper