The lawsuit, filed on Feb. 21 in a Maryland state court, alleges that the UnitedHealth subsidiary’s cybersecurity standards were insufficient to prevent the attack.
The Russian ransomware ransomware group responsible for the cyberattack used stolen credentials to remotely access a company portal that did not have multi-factor authentication.
As the largest clearinghouse for medical claims in the U.S., Change Healthcare processes nearly 15 billion transactions annually, interacting with one in three patient records. The attack sent shockwaves through the healthcare industry, disrupting care delivery and threatening the operational stability of hospitals, insurers and pharmacies nationwide. In total, the attack exposed the personal and health data of 190 million individuals and has been deemed the largest in healthcare history.
In its lawsuit, CareFirst said it lost a large amount of data related to employer accounts and its Medicare Advantage business, according to the BBJ. The company said it had to reallocate $25 million in investment funds as loans to providers struggling to operate as a result of the attack. CareFirst is seeking $900,000 in damages, along with interest and attorney fees.
In late 2024, Nebraska sued Change Healthcare, alleging the company violated state consumer protection and data security laws because of inadequate security measures.
The attack has cost UnitedHealth more than $3 billion, and the company has issued more than $9 billion in loans to affected providers.
