UnitedHealth Group is looking to simplify the legal battle over the Change Healthcare cyberattack.
The conglomerate, which operates Change Healthcare through its Optum subsidiary, wants a judicial body to assign two dozen potential class action lawsuits to the U.S. District Court for the Middle District of Tennessee in Nashville, according to a brief filed Wednesday.
Related: Disruptions to endure even as Change Healthcare fixes systems
The pending cases are a mix of claims brought by providers and by patients related to the ransomware attack that has roiled the healthcare sector for more than a month. The providers complain of payment delays. The consumers allege the breach put them at risk of identity theft. Class-action attorneys have publicly been recruiting plaintiffs for these and other cases.
Change Healthcare, represented by the law firm Hogan Lovells, contends that these suits should be heard in Nashville, where the UnitedHealth Group unit is based. The request to the U.S. Judicial Panel on Multidistrict Litigation also notes 15 of the lawsuits are already before the Tennessee federal court.
As an alternative, Change Healthcare suggests the U.S. District Court for the District of Minnesota in Minneapolis and St. Paul, near UnitedHealth Group's Minnetonka headquarters and the venue for three lawsuits. There also are two cases in California, two in New Jersey, one in Mississippi and one in Pennsylvania.
Change Healthcare was the victim of a ransomware attack Feb. 21 that the company attributes to a collective known as BlackCat (also called ALPHV or Noberus). Disruption to its systems that process claims, payments, prior authorizations and other transactions have wreaked havoc on the healthcare system even as UnitedHealth Group makes repairs.
In its legal filing, Change Healthcare rejects the plaintiffs' premise that it is responsible for the consequences of another party's crimes. “At bottom, all actions are based on the incorrect and unfounded theory that, because a cyberattack occurred, Change’s security must have been deficient and plaintiffs must have been harmed,” Hogan Lovells partner Allison Holt Ryan wrote in the brief.
The Health and Human Services Department is investigating whether protected health data was breached and whether UnitedHealth Group complied with notification requirements and federal privacy and security rules.
