IU Health Sues Change Healthcare Over Ransomware Attack
Indiana University Health initiated legal proceedings against Change Healthcare, part of UnitedHealth Group, in February 2024, with a lawsuit filed in the U.S. District Court in Minnesota. The case stems from a ransomware attack in February 2024 on Change Healthcare, which disrupted key electronic systems and data integral to IU Health's operations. The allegations against Change Healthcare include negligence, breach of contract, unjust enrichment, and fraud, amid a wave of related lawsuits.
Change Healthcare specializes in automating administrative processes like medical payments and insurance claims for healthcare providers globally. It supports a significant portion of the population in the United States and was purchased by Optum Insight, an arm of UnitedHealth Group, in 2022 for $13 billion.
The legal complaint references a Financial Services Agreement initiated in December 2017, where Change Healthcare committed to handling billing and payment solutions with due care for IU Health's confidential information. An additional Business Associate Agreement was established in 2019, requiring the implementation of two-factor authentication for IU Health data and safeguards against unauthorized access to sensitive health information. The agreement stipulated that operations should continue seamlessly in case of any disruptions at Change Healthcare.
On February 21, 2024, the ransomware group ALPHV, or Blackcat, executed an attack that led to the shutdown of Change Healthcare's operations, affecting crucial processes such as patient billing, claim authorizations, and insurance verification. UnitedHealth Group reportedly paid a $22 million ransom in bitcoin following the breach.
During a congressional hearing in May 2024, UnitedHealth Group CEO Andrew Witty disclosed that compromised credentials allowed unauthorized access to a Change Healthcare portal lacking multifactor authentication, leading to the system intrusion. The lawsuit claims Change Healthcare did not meet its obligations to provide essential electronic services, causing service interruptions in insurance verification, claim submissions, and billing procedures.
IU Health was forced to engage alternative providers and take extra measures, including temporary staffing and enhanced IT routines, to manage the financial impacts. IU Health sought detailed information from Change Healthcare regarding the attack's repercussions and its security posture in March 2024, but has yet to receive a response. The breach reportedly resulted in $66 million in damages for IU Health, which requested compensation in February 2026. Change Healthcare has not agreed to recompense those costs.
IU Health's Executive Director of External Communications, Lisa Tellus, emphasized the importance of timely healthcare payments for ensuring quality care, though details of the ongoing litigation were not disclosed. Optum, part of Change Healthcare’s parent company, did not provide comments on the matter. IU Health is pursuing a jury trial and seeks damages, legal costs, and other court-directed remedies. Multiple related lawsuits against Change Healthcare have been consolidated into a singular proceeding as part of multidistrict litigation in Minnesota.