Class action lawsuits pile up over UnitedHealth data breach

investing.com:

By Brendan Pierson

(Reuters) — UnitedHealth Group (NYSE:UNH) has already been hit with at least six class action lawsuits accusing it of failing to protect millions of people's personal data from last month's hack of Change Healthcare (NASDAQ:CHNG), its payment processing unit, with more lawsuits likely to come.

In a motion filed late on Tuesday in Washington, D.C., plaintiffs' lawyers asked a federal judicial panel to consolidate the six cases in federal court in Nashville, Tennessee, where Change is headquartered, and said they expected more cases to be filed.

It is not known how large the litigation could become because it is not clear how much or what kind of information was compromised in the attack, which was carried out by the ransomware hacker group BlackCat.

UnitedHealth, which disclosed the attack on Feb. 21 without specifying how many people were affected, said in a statement Wednesday that it was focused restoring Change's operations.

UnitedHealth hasn't said if BlackCat demanded ransom, but a post on an online forum used by hackers claimed the company paid $22 million to the hackers for regaining access to its locked systems.

Under the Health Insurance Portability and Accountability Act (HIPAA), a U.S. health privacy law, companies have 60 days after discovering a data breach to notify affected individuals that their personal information has been compromised.

For breaches affecting more than 500 people, the company must notify federal regulators and prominent media. UnitedHealth has so far not given such a notice.

Change processes about 50% of the medical claims in the United States for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.

The attack has halted Change's