In response to the Change Healthcare data breach earlier this year, the NCPA launched a lawsuit based on Change Healthcare's failure to implement effective security measures and the substantial consequences faced by organizations affiliated with the organization.
What happened
In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, was severely hit by a ransomware attack that disrupted its medical billing operations nationwide. As a result, pharmacies and healthcare providers across the country were left unable to process payments and claims, causing financial turmoil.
The National Community Pharmacists Association (NCPA) claims that Change Healthcare failed to implement adequate security measures to prevent such a breach. This lack of preparedness exposed millions of patient records and forced healthcare providers to cover upfront costs without reimbursement.
Many pharmacies were pushed to take out loans or use up their savings to purchase alternative software solutions to continue serving their patients. In response, the NCPA and other affected providers filed a class action lawsuit against UnitedHealth Group and its subsidiaries, seeking accountability and compensation for the extensive financial losses.
See also: Going deeper: The Change Healthcare attack
What was said
The preliminary statement of the complaint starts with, “An urgent care chain in Ohio may be forced to stop paying rent and other bills to cover salaries. In Florida, a cancer center is racing to find money for chemotherapy drugs to avoid delaying critical treatments for its patients. And in Pennsylvania, a primary care doctor is slashing expenses and pooling all of her cash — including her personal bank stash — in the hopes of staying afloat for the next two months.” This was (and still is) the reality for many healthcare providers as a result of Defendants’ response following what might be the most consequential data breach in history.”
In the press release, NCPA CEO B. Douglas Hoey stated, “UnitedHealth Group and its subsidiaries need to be held accountable for their lax security measures and for their failure to provide our members with adequate support and assurances to alleviate the financial losses our members suffered. NCPA was against UnitedHealth’s acquisition of Change from the start. This breach proves that bigger is not better and that consolidation often leads to inefficiencies.”
See also: Providers seek clarity on Change Healthcare data breach reporting
Why it matters
The actions of the NCPA are challenging major healthcare players like UnitedHealth Group, Change Healthcare, and Optum in a class action lawsuit. This lawsuit is not just about seeking financial compensation for the pharmacies that faced severe disruptions and financial losses due to a massive cyberattack; it’s about demanding accountability and better security standards in the healthcare industry. The NCPA is pushing for changes that could prevent future breaches.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a cyberattack?
A cyberattack is a deliberate attempt by hackers to damage or steal data from a computer system or network.
What is the role of the NCPA?
The role of the NCPA is to represent and support the interests of community pharmacists, including advocating for policies that benefit their operations and patient care.
What is an example of ineffective cybersecurity measures?
An example of ineffective cybersecurity measures is failing to implement encryption.
Kirsten Peremore
