Too big not to fail: NCPA seeks relief from Change Healthcare

ALEXANDRIA, Va. – Providers need to be compensated for losses incurred as the result of massive cyberattack earlier this year, the National Community Pharmacists Association argues in a new lawsuit. 

The association, along with dozens of providers from multiple states, filed a class action lawsuit July 19 against UnitedHealth Group and its subsidiaries Change Healthcare and Optum.  

“Our members suffered a lot of damages both in personnel time and direct financial damages,” said Matthew Seiler, vice president and general counsel at NCPA. “We felt like we would be in a good position to represent all of those interests.” 

In February, Change Healthcare was hit with a ransomware attack that brought payment and claims processing across the country to a halt.  

While it’s “hard to quantify” dollar figures, which vary widely by provider, Seiler said he’s heard some estimates of mid-five to six figures in direct and indirect damages. 

“Direct damages include having to find new software vendors and not being compensated for dispensing services in providing patients their medications,” he said. “Others had to have (patients) go to other pharmacies to get their medications filled.” 

In the lawsuit, the NCPA also argues that Change Healthcare failed to take reasonable precautions against a catastrophic breach and misled customers about its network security. 

“When you get so big, like a huge house with 500 doors going to the outside, it’s harder to monitor those doors,” Seiler said. “In health care, if these companies with 500 doors can't secure them, they're going to continue to get hacked until they do a much better job know protecting patient data and their competitor’s data.” 

The cyberattack underscores what NCPA has been speaking out against all along: That consolidation of health care entities into massive, interrelated companies is a recipe for disaster, says Seiler. 

“We’ve opposed this combination from the beginning,” he said. “The theory is that consolidation leads to efficiencies; however, in our industry, we have seen it lead to a number of inefficiencies – this cyber incident being one of them – and, as a result, higher consumer prices.”