Indiana University Health sues Change Healthcare over 2024 ransomware attack, seeks $66 million in damages

Indiana University Health filed a lawsuit Feb. 19 in the U.S. District Court for the District of Minnesota against Change Healthcare, alleging a 2024 ransomware attack disrupted critical billing and payment systems and caused $66 million in damages.

Indiana University Health, a nonprofit healthcare system based in Indianapolis, claims the February 2024 cyberattack on Change Healthcare halted electronic services essential to submitting, routing, tracking and receiving payment for healthcare claims. The complaint alleges negligence and gross negligence, breach of contract, unjust enrichment and fraud.

Change Healthcare, a healthcare technology company that processes medical payments and insurance claims for providers worldwide, serves approximately 900,000 physicians and supports transactions affecting more than one-third of the U.S. population. The company was acquired in 2022 by Optum Insight in a $13 billion deal. Optum Insight is the technology-driven health services arm of UnitedHealth Group, one of the largest global health insurers and healthcare providers, headquartered in Eden Prairie, Minnesota.

The lawsuit centers on contractual agreements between IU Health and Change Healthcare. Under a Financial Services Agreement executed around Dec. 18, 2017, Change Healthcare agreed to provide billing and payment services and to use reasonable care and security measures in managing IU Health’s confidential information.

The parties later entered into a Business Associate Agreement around Sept. 25, 2019, requiring Change Healthcare to implement two-factor authentication for IU Health data access and to use appropriate technical, procedural and physical safeguards to prevent unauthorized access to protected health information. The agreement also required that IU Health’s business operations continue uninterrupted in the event of a system disruption and that IU Health receive immediate notice of such incidents.

On Feb. 21, 2024, ransomware group ALPHV, also known as Blackcat, launched a cyberattack against Change Healthcare that halted the company’s operations. Ransomware attacks involve encrypting or exfiltrating data and demanding payment in exchange for restoring access or preventing public release.

The attack brought Change Healthcare’s systems offline, delaying patient billing, insurance claim authorization and coverage verification. UnitedHealth Group paid $22 million in bitcoin to the attackers following the incident.

In testimony submitted May 1, 2024, to the House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations, UnitedHealth Group CEO Andrew Witty stated that the attackers used compromised credentials to access a Change Healthcare sign-in portal and then moved into internal systems. The portal lacked multifactor authentication.

IU Health alleges that as a result of the outage, eligibility verification, electronic claim submission, claim status management and payer-related billing processes were interrupted. The health system contracted new vendors to restore services and recover lost revenue, established internal incident command centers, hired temporary staff to manage billing operations, implemented IT processes to mitigate lost payments and manually reviewed backlogged files.

The complaint asserts that Change Healthcare failed to implement required safeguards and did not provide an adequate backup plan for clients during the disruption. IU Health sent two letters in March 2024 requesting information about the breach’s impact, the security of data it had provided and related legal obligations. The lawsuit states that Change Healthcare has not supplied the requested information.

On Feb. 2, 2026, IU Health formally requested compensation for the $66 million in alleged losses. Change Healthcare has not agreed to reimburse the health system.