Indiana University Health filed a lawsuit against Change Healthcare, a subsidiary of UnitedHealth Group, on Feb. 19 in the Minnesota U.S. District Court.
A February 2024 ransomware attack on Change Healthcare disrupted critical electronic systems and data supporting IU Health services, the complaint claims. IU Health is alleging negligence and gross negligence, breach of contract, unjust enrichment and fraud. The attack has since sparked a series of lawsuits nationwide.
Change Healthcare is a healthcare technology company that facilitates administrative functions like processing medical payments and insurance claims for healthcare providers worldwide, according to its website. The company’s customer base includes about 900,000 physicians and more than one third of the U.S. population.
The company was acquired by Optum Insight in a $13 billion deal in 2022. Optum Insight is a technology-driven health services subsidiary of UnitedHealth Group, one of the largest global health insurance and healthcare providers. UnitedHealth Group is headquartered in Eden Prairie, Minnesota.
IU Health and Change Healthcare established a Financial Services Agreement around Dec. 18, 2017, the complaint states, under which Change Healthcare would provide billing and payment services. The agreement also stated Change Healthcare would “use reasonable care and security measures in managing confidential IU Health information.”
Around Sept. 25, 2019, the two parties entered into a Business Associate Agreement, where Change Healthcare agreed to implement two-factor authentication for IU Health data access, an IU Health security requirement. Change Healthcare would also “implement and use appropriate technical, procedural and physical safeguards” to prevent unauthorized access to IU Health’s protected health information. The agreement also stated IU Health should be able to continue its business uninterrupted if Change Healthcare faced a system disruption. In the case of such an event, IU Health would be notified immediately.
On Feb. 21, 2024, Change Healthcare underwent a cyberattack from ransomware group ALPHV, also known as Blackcat, that halted its operations. Ransomware groups conduct cyberattacks on an organization’s data, demanding payment in exchange for restoring access to or preventing release of the data.
The attack resulted in a data breach that brought the company’s systems offline, leading to delays in billing patients, authorizing claims and verifying insurance coverage.
UnitedHealth Group paid $22 million ransom in bitcoin after the attack.
In a statement before the House Energy and Commerce Committee Subcommittee on Oversight and Investigations on May 1, 2024, UnitedHealth Group CEO Andrew Witty wrote the ransomware group used compromised credentials to gain access to a Change Healthcare sign-in portal and ultimately its internal systems. The portal lacked multifactor authentication, a security process requiring users to input two or more verifications of identity before gaining access to a digital service.
In the lawsuit, IU Health alleges Change Healthcare failed to fulfill its contractual obligations in providing products and electronic services necessary for IU Health to submit, route, track and receive payment for healthcare claims because of the attack.
Interrupted services included eligibility verification, electronic claim submission, claim status management and payer-related billing processes, the lawsuit states. This resulted in IU Health contracting new vendors to provide those services and recover lost revenue.
IU Health also set up internal incident command centers, contracted temporary employees to manage billings, implemented IT routines to reduce lost payments and manually reviewed backlogged files, according to the suit.
IU Health alleged Change Healthcare lacked safeguards to prevent the data breach and did not supply a backup plan for its clients during the breach.
According to the suit, IU Health requested information from to assess the impact of the cyberattack, the security state of information it provided to Change Healthcare and legal obligations resulting from the attack in two letters to the company in March 2024.
Change Healthcare has not yet provided the requested information, IU Health claims.
According to the lawsuit, the data breach incurred $66 million in damages for IU Health. On Feb. 2, 2026, IU Health requested compensation for the costs it sustained from Change Healthcare.
Change Healthcare has not agreed to reimburse IU Health.
IU Health Executive Director of External Communications Lisa Tellus wrote in a statement to the Indiana Daily Student that IU Health cannot discuss active litigation.
“I can tell you that ensuring timely payments for healthcare services is crucial for maintaining high-quality healthcare delivery and keeping costs manageable for patients,” Tellus wrote.
Change Healthcare’s parent company Optum did not respond to a request for comment.
IU Health demanded a jury trial and that the court grant damages, litigation expenses, pre-judgement interest and other relief the court deems just and proper.
Several class action lawsuits against Change Healthcare brought by other clients impacted by the data breach were consolidated into a single case in the U.S. District Court of Minnesota on June 7, 2024, after the U.S. Judicial Panel on Multidistrict Litigation found the plaintiffs “share common questions of fact.”
Presiding judge Donovan W. Frank wrote in a statement on June 30, 2025, that the multidistrict litigation involves 90 cases, with more being reviewed for transfer.
The U.S. District Court of Minnesota reviewed 102 total lawsuits as part of the multidistrict litigation. Ninety lawsuits remain pending as of Feb. 2, 2026.
