Change Healthcare Cyberattack Data Breach Litigation
Case Overview
In February 2024, the ALPHV/BlackCat ransomware group infiltrated Change Healthcare, a UnitedHealth Group subsidiary that processes approximately 15 billion healthcare transactions annually — roughly one-third of all U.S. patient records. The attackers exfiltrated an estimated 6 terabytes of data before deploying ransomware that took Change Healthcare's systems offline for weeks, causing catastrophic disruptions to prescription processing, insurance claims, and payment systems across virtually every corner of the U.S. healthcare industry. UnitedHealth Group reportedly paid a $22 million ransom. Affected data includes names, Social Security numbers, dates of birth, health insurance details, medical record numbers, diagnoses, treatment information, and financial/banking data for an estimated 190 million individuals — surpassing all prior U.S. healthcare breaches combined.
A federal MDL was established in the District of Minnesota in 2024, consolidating hundreds of lawsuits filed by patients, independent physicians, hospital systems, pharmacies, and healthcare providers who suffered financial losses and operational shutdowns due to the attack. Patient plaintiffs allege UnitedHealth Group failed to implement adequate cybersecurity safeguards required by HIPAA and industry standards, and that the company's acquisition of Change Healthcare in 2022 — which concentrated enormous amounts of health data within a single entity — created an irresistible and foreseeable target for cybercriminals. Provider plaintiffs, including small practices and rural hospitals, allege they lost millions in revenue while unable to submit or receive payment for claims during the outage. Congressional hearings in 2024 sharply criticized UnitedHealth CEO Andrew Witty over the breach, and the HHS Office for Civil Rights has launched a formal investigation.
Who May Qualify
U.S. residents whose personal, medical, or financial information was stored or processed by Change Healthcare and was compromised in the February 2024 breach; healthcare providers (physicians, hospitals, pharmacies, clinics) who experienced revenue losses or operational disruptions due to the Change Healthcare system outage. Individuals who received a breach notification letter from UnitedHealth Group are particularly encouraged to evaluate their claims.
Frequently Asked Questions
Can I sue UnitedHealth Group or Change Healthcare for the February 2024 data breach?
Yes. The Change Healthcare cyberattack has led to a class action lawsuit against UnitedHealth Group and its subsidiary Change Healthcare. If your personal, medical, or financial information was exposed in the breach affecting an estimated 190 million Americans, you may have grounds to join the litigation or file a claim. Contact an attorney to evaluate your specific situation and understand your legal options.
How do I get money from the Change Healthcare data breach settlement?
Settlement details are still being determined as the class action litigation is ongoing. Once a settlement is reached, eligible individuals typically receive a claims notice with instructions on how to file for compensation. Those who received a breach notification letter from UnitedHealth Group are strongly encouraged to document it and consult an attorney to ensure they don't miss important deadlines.
Who qualifies for the Change Healthcare data breach lawsuit?
U.S. residents whose personal, medical, or financial data was stored or processed by Change Healthcare and exposed in the February 2024 ransomware attack qualify, as do healthcare providers (doctors, hospitals, pharmacies, clinics) who suffered revenue losses or operational disruptions. If you received a breach notification letter from UnitedHealth Group, you are encouraged to evaluate your claim immediately.