The Change Healthcare data breach lawsuit represents one of the largest and most complex legal responses to a healthcare cybersecurity incident in the United States as of 2025. In February 2024, Change Healthcare, a leading healthcare technology and data processing company owned by UnitedHealth Group, suffered a massive ransomware attack that exposed the protected health information of approximately 190 million individuals. The breach triggered widespread disruption across healthcare providers, insurers, and pharmacies, severely impacting claims processing and patient care delivery.
As the breach unfolded, sensitive data including names, Social Security numbers, medical histories, insurance information, and financial details were stolen by the cybercriminal group known as BlackCat. Change Healthcare’s security failures and delayed response led to numerous lawsuits filed across the country by affected individuals, healthcare providers, and states, resulting in a consolidated multidistrict litigation (MDL) heard in the U.S. District Court for the District of Minnesota.
Background of the Data Breach and Cyberattack
On February 12, 2024, hackers gained unauthorized access to Change Healthcare’s systems via compromised credentials and deployed ransomware, encrypting critical data and forcing a multi-week outage. The breach was not detected for over a week, delaying incident response. Notably, Change Healthcare failed to implement key cybersecurity safeguards such as multifactor authentication and adequate network segmentation, allowing the attackers to access backup systems as well. UnitedHealth Group reportedly paid a ransom of $22 million to mitigate further harm, though patient data subsequently appeared on the dark web.
The attack disrupted billing and payment processing that touches one in every three patient records nationally, creating cash flow crises for providers, delaying medical services, and forcing some patients to pay out-of-pocket unexpectedly. These operational failures exacerbated the harm caused by the data theft itself.
Legal Claims in the Change Healthcare Lawsuit
- Negligence and Failure to Safeguard Data: Plaintiffs allege Change Healthcare and UnitedHealth Group failed to implement adequate cybersecurity measures and ignored industry warnings, violating the Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission Act, and state data protection laws.
- Failure to Provide Timely Notice: The company delayed breach notification to affected individuals for several months, hindering preventive actions against fraud and identity theft.
- Consumer Protection Violations: Claims include deceptive practices in representing the adequacy of data security protections and failure to mitigate damages resulting from the breach.
- Unjust Enrichment: Plaintiffs argue the company profited from processing sensitive health data while failing to uphold its duty of care.
- Financial Harm and Out-of-Pocket Costs: Some lawsuits represent healthcare providers seeking damages for lost revenue, disrupted cash flow, and expenses tied to the breach and its aftermath.
Current Legal Status and Litigation Developments
The lawsuits against Change Healthcare have been consolidated into a multidistrict litigation (MDL 3108) in Minnesota under Judge Donovan Frank. As of mid-2025, dozens of class-action and individual suits claim damages on behalf of hundreds of millions of affected data subjects and medical providers. Change Healthcare has filed motions to dismiss certain claims on jurisdictional and procedural grounds, which are pending court rulings.
Settlement discussions have been underway since late 2024 to achieve an early resolution. However, given the breach’s unprecedented scale and complexity, it is expected that multiple bellwether trials will be conducted if a comprehensive settlement is not reached. Plaintiffs seek one of the largest healthcare data breach settlements in history, potentially exceeding prior benchmarks such as the 2015 Anthem breach settlement of $115 million.
Impact on Healthcare Industry and Consumers
The Change Healthcare breach and ensuing lawsuits have profound implications for healthcare cybersecurity, patient privacy, and operational resilience. They underscore the critical importance of robust IT defenses, rapid breach detection, transparent communication with affected parties, and comprehensive risk management in healthcare technology services.
For consumers, the breach presents substantial risks of identity theft, fraud, and misuse of sensitive medical information. Healthcare providers face financial strain and reputational damage from the disruption caused by compromised data systems.
Frequently Asked Questions About the Change Healthcare Data Breach Lawsuit
Who is eligible to participate in the Change Healthcare lawsuit?
Individuals whose personal and medical information was compromised in the breach, as well as healthcare providers who suffered financial losses due to the disruption, may be eligible to join the class-actions or file individual claims.
What types of data were exposed in the breach?
Exposed data includes names, Social Security numbers, dates of birth, insurance details, medical histories, financial and employment information, and other protected health information (PHI).
Has Change Healthcare admitted liability?
While Change Healthcare has confirmed the breach and cooperated with regulatory investigations, it has denied negligence in court filings and seeks dismissal of certain claims.
Are there ongoing settlement negotiations?
Yes. Negotiations aim to achieve compensation for affected parties, although no finalized settlement has been publicly announced as of August 2025.
What government actions are involved?
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) is investigating potential HIPAA violations, while some state attorneys general, including Nebraska’s, have filed lawsuits over data security failures and improper breach notification.
Conclusion
The Change Healthcare data breach lawsuit is a landmark case that highlights the vulnerabilities and high stakes of cybersecurity in healthcare data management. Affecting nearly two hundred million individuals, the breach exposed deep operational risks and privacy concerns that reverberate throughout the healthcare sector. As litigation proceeds, the resolution will likely shape future standards for data protection, breach response, and corporate accountability in healthcare technology services. Patients, providers, and the industry alike await outcomes that promise enhanced security and justice for those harmed by this unprecedented cyberattack.
