Change Healthcare, Inc. Customer Data Security Breach Litigation, MDL No. 3108
This multidistrict litigation consolidates for pretrial purposes all federal cases alleging claims for negligence, negligence per se, breach of contract or implied contract, unjust enrichment, and violation of consumer protection laws after personally identifiable health information (“private information”) was compromised as a result of a ransomware attack on Change Healthcare, Inc.’s systems. The actions are brought by individuals (the “consumer actions”) who claim that, as a result of the data breach, they are at increased risk of identity fraud, have had to expend time and resources attempting to minimize the consequences of the breach, and were unable to fill prescriptions for medications, among other things. Additional actions include putative nationwide or state-specific class actions brought by healthcare providers (the “healthcare provider actions”), who allege that they have been unable to process insurance claims and obtain payments for medical services provided to patients as a result of the data breach. The claims brought in the healthcare provider actions are similar to those brought in the consumer actions and also involve claims for breach of covenant of good faith and fair dealing, negligent interference with prospective economic advantage, and breach of confidence.
The defendants in this litigation include Change Healthcare, Inc., a health technology company that provides pharmacies and healthcare providers in the United States with a digital platform that permits them to, among other things, electronically verify patients’ health insurance coverage, process claims for medical services and prescriptions, receive payments, exchange clinical records, provide cost estimates, and bill patients. In one potential tag-along action—M.D. Tennessee Lemke—plaintiffs have filed a second amended complaint adding HealthFirst, Inc. as a defendant and as a representative of a putative defendants’ class of insurance companies that refused to pay claims that were received after their respective deadlines because of the data breach.
In the federal court system, when multiple cases are pending in several different district courts that involve common questions of fact, the law provides that the Judicial Panel on Multi District Litigation (“JPML”) can transfer all of the federal cases to one federal judge, if centralization will serve the convenience of the parties and the witnesses and promote the just and efficient conduct of the litigation for pretrial purposes.
On June 7, 2024, the JPML determined that these actions “share common question of fact arising from allegations that Change Healthcare failed to take adequate measures to prevent and address the consequences of the cyberattack onp its network announced in February 2024.” The JPML also found that “centralization in the District of Minnesota will serve the convenience of the parties and witnesses and promote the just and efficient conduct of this litigation.”