Judge Calls for Change Healthcare Data Breach Lawsuits in State and Federal Courts To Be Coordinated

In addition to federal lawsuits over the Change Healthcare data breach, similar cases have been brought in California, Florida, Texas, Arizona, Tennessee, New Jersey and Nebraska.

The U.S. District Judge appointed to preside over all Change Healthcare data breach lawsuits brought throughout the federal court system has issued an order, outlining a plan to coordinate the pretrial proceedings in the federal multidistrict litigation (MDL) with claims pending at the state court level.

The litigation emerged a little more than a year ago, after Change Healthcare announced that it was the target of a data breach by hackers who accessed its customers’ sensitive data, including names, Social Security numbers, birthdates, addresses, medical records and insurance details. The breach reportedly exposed the personal data of up to 190 million people.

While the company is not a familiar name to most consumers, it provides essential software, analytics and services to the healthcare industry, with an estimated one in three Americans’ private health data passing through its systems.

At least 65 Change Healthcare data breach lawsuits have been filed throughout the federal court system, and a number of claims have also been brought in various different state courts, including California, Florida, Texas, Arizona, Tennessee, New Jersey and Nebraska.

Given common questions of fact and law raised in the litigation, the U.S. Judicial Panel on Multidistrict Litigation (JPML) centralized the federal lawsuits in the District of Minnesota in June 2024, appointing U.S. District Judge Donovan Frank to preside over coordinated discovery and pretrial proceedings.

As Judge Frank pushes parties to conduct early Change Healthcare data breach settlement talks and prepare for pretrial discovery, the court issued an order (PDF) on March 12, noting that it will be necessary for the parties to coordinate with judges presiding over several similar cases filed in state courts nationwide, to avoid duplication of efforts and to increase efficiency.

“Except in certain circumstances, a federal multidistrict court typically cannot bind the state courts in parallel proceedings, and the state courts cannot bind the federal court. No court that signs this Coordination Order intends to violate that principle,” the order states. “But if the multidistrict court and a given state court simultaneously enter a coordination order, they can collectively and effectively direct the parties and counsel before them to coordinate.”

Judge Frank also issued a letter (PDF) to state judges he believes are overseeing related Change Healthcare data breach lawsuits, including judges in Tennessee, New Jersey, Florida, California, Texas, Arizona and Nebraska.

“I invite each of you to issue such an order in your respective state court cases,” he wrote. “For those of you who choose to issue such an order, I believe we will be able to promote prompt resolution of the cases, while respecting each other’s independence.”

The letter indicates the Court is currently awaiting motions to dismiss, which are due by March 21, and has scheduled a status conference for April 17.

Judge Frank has also ordered the parties to meet with Magistrate Judge Dulce J. Foster on April 30, 2025 at 10:00 AM, to outline the structure and timeline for potential Change Healthcare settlement negotiations, which may allow the parties to find an early resolution for the claims brought nationwide.