This article gives general legal information, not legal advice. Data breach, privacy, provider revenue-loss, and filing-deadline claims are fact-specific. They can also vary by state. Consult a licensed attorney in your state about your specific situation.

As of June 1, 2026, no court-approved settlement, official claim form, payout amount, or claim deadline has been verified for the Change Healthcare data breach lawsuit 2026. That matters. Many people searching for this topic are trying to separate real court updates from rumors, unrelated claims pages, and hard-to-read breach notices.

The Change Healthcare cyberattack disrupted a major part of the healthcare payment system. Patients, health plan members, guarantors, pharmacies, hospitals, physician practices, and other providers may have been affected. The effect may differ from person to person and business to business.

Some people are worried about exposed personal or medical information. Some providers are focused on delayed payments, cash-flow problems, or revenue-cycle disruption. This guide explains the current MDL status. It also explains how patient and provider claims differ, what records to preserve, and what steps affected people and businesses can take now.

If you received a breach notice, or spent time dealing with fraud, billing issues, or provider payment disruption, start with the Do I Qualify? assessment . Use it while you gather notices, dates, receipts, and account records.

What Is the Change Healthcare data breach lawsuit 2026?

The Change Healthcare data breach lawsuit 2026 refers to federal multidistrict litigation tied to the 2024 ransomware attack on Change Healthcare Inc. Multidistrict litigation (MDL) is a federal process. It moves related lawsuits from different courts to one judge for coordinated pretrial work. It is not the same thing as a final class-action settlement.

The Judicial Panel on Multidistrict Litigation centralized the federal Change Healthcare cases in Minnesota on June 7, 2024. The District of Minnesota court page identifies the proceeding as In re: Change Healthcare, Inc. Customer Data Security Breach Litigation, civil action 24-MD-03108 . The case is before Judge Donovan W. Frank and Magistrate Judge Dulce J. Foster.

The lawsuits generally allege harm from the ransomware attack and from the alleged handling of sensitive data or business operations. Those are allegations, not findings of liability. Defendants may dispute liability, causation, damages, class certification, and other issues as the case moves forward.

Is There a Change Healthcare Data Breach Settlement or Claim Form?

As of June 1, 2026, no court-approved settlement, official data breach claim form, payout amount, or consumer claim deadline was verified from the District of Minnesota MDL page . The docket does show settlement-related discussion. A February 5, 2026 case management order noted informal settlement discussion logistics. Later docket text refers to the court's interest in private mediation. Those developments do not mean a settlement has been approved.

A real settlement process usually includes court filings, a proposed settlement agreement, notice materials, claim forms, opt-out and objection deadlines, and court approval. Until those materials can be verified through a court page or an authorized settlement administrator, be cautious. Do not give Social Security numbers, medical details, bank information, or payment to a site claiming to submit a Change Healthcare data breach claim unless you can verify it.

Some search results may refer to unrelated Change Healthcare settlements, including robocall or telemarketing matters. Do not confuse those matters with the 2024 ransomware and data-security MDL. If a page does not identify MDL No. 3108, civil action 24-MD-03108, or a related court-approved settlement process, verify it before relying on it.

Where Does MDL No. 3108 Stand Now?

The Change Healthcare litigation remains active. The JPML's May 1, 2026 pending MDL report lists MDL No. 3108 before Judge Frank in Minnesota with 120 actions pending and 134 total historical actions . The court's MDL page was last updated on May 18, 2026. It lists a May 19, 2026 status conference, with another status conference set for June 18, 2026.

The court has entered case-management orders on pleadings, joinder, discovery, and status-conference topics. One February 2026 order listed fact discovery due November 2, 2026. It also listed nondispositive motions due November 6, 2026. A March 25, 2026 order later adjusted deadlines for motions to join or add parties and motions to amend pleadings. Those dates were tied to a later ruling on motions-to-dismiss appendices.

For readers, the practical point is simple: the case is not over. It is in coordinated pretrial proceedings. Discovery, pleadings, motions, possible amended complaints, state-court coordination, and settlement structure issues can all affect what happens next. Affected people and businesses should preserve records now. Waiting for a settlement announcement could make it harder to document harm later.

Who May Be Affected by the Change Healthcare Breach?

The affected population is unusually large. The HHS Office for Civil Rights Change Healthcare FAQ says Change Healthcare filed a breach report with OCR on July 19, 2024. It also says Change Healthcare notified OCR on July 31, 2025 that about 192.7 million individuals were impacted. HHS describes Change Healthcare and UnitedHealth Group as part of an OCR investigation. The investigation focuses on whether a protected health information breach occurred and whether HIPAA requirements were followed.

Receiving a breach notice does not automatically prove that a person has a claim worth compensation. It can still be an important record. It may show that a person's information was included in the incident. It may also show who sent notice, what information categories may have been involved, and what protective services were offered.

People who may want to preserve records include patients, health plan members, beneficiaries, spouses or parents who paid medical bills, and guarantors. Their information may have been connected to claims or payment processing. Businesses that may want to preserve records include medical practices, pharmacies, hospitals, clinics, labs, billing companies, and other providers that relied on Change Healthcare services.

How Are Patient Claims Different From Provider Claims?

The District of Minnesota court page separates the MDL into patient actions and provider actions. That split matters. The evidence and damages may be different.

Patient-related claims may focus on exposed personal information, exposed protected health information, time spent responding to the breach, identity-theft risk, fraudulent activity, medical billing problems, or out-of-pocket expenses. The exact theory can depend on state law. It can also depend on the facts of the notice and whether the person can connect a real harm to the incident.

Provider-related claims may focus on business losses. A medical practice or pharmacy might look at delayed reimbursements, manual workarounds, payroll strain, credit costs, denied or delayed claims, patient-service disruption, or other financial records. These issues are different from a patient's privacy concern.

Providers should consult a licensed attorney in their state, especially if contracts, assignment clauses, insurance coverage, or business-interruption losses are involved. The court also flagged insurance-company complaints and a possible third track for discussion in a March 2026 status agenda. That does not mean every affected insurer, provider, or patient has the same legal path. It means the MDL is managing several categories of claims. Those categories may require different pleadings and procedures.

What Information May Have Been Exposed?

The exact information involved can vary by person and by the data Change Healthcare handled for a particular healthcare entity. HHS explains that HIPAA breach notices should describe the types of information involved . Notices should also describe the steps affected individuals should take, what the covered entity is doing to investigate and reduce harm, and contact information for questions. The same FAQ cites the HIPAA Breach Notification Rule at 45 C.F.R. sections 164.400 through 164.414.

In a healthcare payment-processing incident, relevant data categories can include names, contact information, dates of birth, health insurance details, billing information, claim information, diagnosis or treatment-related information, and other identifiers. Do not assume every category applied to every person. Your breach notice, provider records, insurer records, and any later official materials matter more than generic online lists.

Protected health information (PHI) means health information that identifies a person and is held or sent by a HIPAA covered entity or business associate. HIPAA can create regulatory duties and OCR complaint paths. But HIPAA itself is usually enforced by government regulators, not through a direct private lawsuit by an individual. Private lawsuits often rely on state privacy, negligence, consumer protection, contract, or other legal theories instead. Laws vary by state. Consult a licensed attorney in your state before assuming which theory applies.

What Compensation Could Potentially Be Available?

Because no court-approved settlement fund or payment formula has been verified, no one can reliably state a Change Healthcare data breach payout amount. Treat any online estimate as speculation unless it comes from a court-approved notice or settlement administrator.

Depending on the facts and applicable law, patient-side damages in data breach cases could potentially include out-of-pocket costs, time spent responding to fraud, credit-monitoring or credit-freeze costs not otherwise covered, losses from identity theft, costs tied to correcting medical billing or insurance errors, and certain privacy-related harms. Whether those damages are recoverable depends on the claim, proof, state law, and court rulings.

Provider-side damages could potentially include documented revenue disruption, increased administrative costs, interest or financing costs, overtime, delayed reimbursements, and other business losses. Providers should preserve accounting records and communications. Business-loss claims often depend on detailed proof, not general statements that operations were disrupted.

If you are unsure whether your records show enough harm for legal screening, use the Do I Qualify? assessment . It can help organize patient-side or provider-side facts before you share them with counsel.

What Filing Deadlines Could Apply?

There is no verified court-approved Change Healthcare data breach settlement claim deadline as of June 1, 2026. That is different from a statute of limitations. A statute of limitations is the legal deadline to file a lawsuit. These deadlines can vary by state, by legal theory, and by when the injury was discovered or reasonably should have been discovered.

For example, a negligence claim, consumer protection claim, contract claim, privacy claim, or business-loss claim may have different deadlines under state law. Some deadlines may be affected by tolling rules, class-action filing rules, contract limits, or the timing of a breach notice. The MDL's internal case-management dates are not a substitute for an individual's or business's filing deadline.

Affected people should not wait for a settlement rumor before preserving records or asking about deadlines. A licensed attorney can evaluate which state's law may apply. Counsel can also review what limitation period could govern and whether an existing filed action affects the analysis.

What Records Should Patients and Providers Preserve?

Good records can matter more than speed. You do not need to know today whether a future settlement will exist. You can still start saving proof.

Records for patients and families

  • Any Change Healthcare, UnitedHealth Group, insurer, provider, pharmacy, or billing notice about the incident.
  • Envelopes and email headers showing when a notice arrived.
  • Credit-monitoring enrollment records, fraud alerts, credit freezes, and receipts.
  • Bank, credit-card, insurance, and medical-billing records showing suspicious activity or correction efforts.
  • Identity-theft reports, police reports, IRS identity-protection notices, and correspondence with insurers or providers.
  • Time logs showing calls, forms, account resets, disputes, or billing corrections related to the breach.

Records for providers

  • Claim-submission logs, denial records, clearinghouse reports, and remittance records.
  • Cash-flow records before, during, and after the disruption.
  • Payroll, overtime, staffing, and vendor invoices tied to manual workarounds.
  • Loan, line-of-credit, or interest records connected to delayed payments.
  • Communications with Change Healthcare, payers, patients, vendors, and professional associations.
  • Cyber-insurance, business-interruption insurance, and contract documents that may affect recovery.

What Can You Do If You Received a Breach Notice?

First, confirm the notice source. Compare the sender, contact information, and offered services against your provider, insurer, pharmacy, or official Change Healthcare communications. Be wary of messages that pressure you to provide bank information, medical details, or a payment to unlock a claim.

Second, use practical identity-protection steps. The Federal Trade Commission's IdentityTheft.gov provides a government-run path for reporting identity theft and creating a recovery plan. You can also review account statements, dispute unfamiliar charges, place fraud alerts, freeze credit files, update passwords, and monitor medical explanations of benefits for services you did not receive.

Third, save proof of what you do. If you spend money, keep receipts. If you spend time correcting accounts or medical bills, keep a dated log. If a provider, insurer, bank, or government agency confirms suspicious activity, save the letter or email. These records may help if you later need legal screening.

Can You File an OCR Complaint?

The HHS Office for Civil Rights enforces HIPAA rules for covered entities and business associates. OCR's Change Healthcare FAQ says covered entities must provide breach notifications to affected individuals, the HHS Secretary, and sometimes the media. It also says a covered entity may delegate notification tasks to a business associate if the notification is handled properly.

A person who believes HIPAA rights were violated can review OCR's complaint process through HHS . An OCR complaint is different from joining or filing a private lawsuit. OCR may investigate and enforce HIPAA. It does not serve as a personal damages lawyer for an affected patient. If you are trying to evaluate possible compensation, consult a licensed attorney in your state. You can also review official agency complaint options.

How Do You File or Join the Change Healthcare Lawsuit?

There is no verified official settlement claim form for the Change Healthcare data breach MDL as of June 1, 2026. If a settlement is approved in the future, the court or an authorized settlement administrator would normally provide claim instructions, eligibility rules, deadlines, and a notice explaining the legal rights affected by the settlement.

For now, an affected person or provider who wants legal screening can take these steps:

  1. Save the breach notice and related records.
  2. Write a short timeline of when notice arrived, what information may have been involved, and what harm or costs occurred.
  3. Separate privacy-related harm from business-disruption harm.
  4. Check the official MDL page for court updates.
  5. Speak with counsel about deadlines, venue, and whether an individual, class, or provider-track path may apply.

Avoid sending sensitive information to unofficial websites that cannot explain who operates the site, what attorney or administrator is collecting the information, and how the information will be protected. A legitimate legal intake may ask for facts. It should not look like an official court claim form unless the court has actually authorized one.

What You Can Do Now

  1. Check whether your notice is real. Use known contact information for your provider, insurer, pharmacy, or official Change Healthcare resources. Avoid suspicious links.
  2. Preserve the paper trail. Keep notices, fraud reports, receipts, account statements, medical billing records, identity-theft recovery records, and communications.
  3. Monitor financial and medical accounts. Look for unfamiliar charges, new accounts, insurance claims, explanations of benefits, prescriptions, or provider bills.
  4. Use official government recovery tools if identity theft appears. FTC resources can help document the problem and create a recovery plan.
  5. Do not rely on payout rumors. No verified court-approved settlement amount, claim form, or claim deadline exists for the data breach MDL as of June 1, 2026.
  6. Ask about deadlines early. State laws vary. The right deadline analysis may depend on the claim type, discovery date, contracts, and where the case belongs.

Frequently Asked Questions About the Change Healthcare Data Breach Lawsuit

Is there a Change Healthcare data breach settlement?

No court-approved settlement, official claim form, payout amount, or claim deadline was verified as of June 1, 2026. Court-supervised settlement discussions or mediation planning do not equal an approved settlement.

Who qualifies for the Change Healthcare class action lawsuit?

No final settlement class or claim-form eligibility rules have been verified. People or businesses who received breach notices, experienced fraud, spent money responding to the incident, or suffered provider revenue disruption may want legal screening. Receiving a notice alone does not guarantee compensation.

How much will the Change Healthcare data breach payout be?

There is no verified payout amount because no court-approved settlement fund or payment plan has been identified. Treat any dollar estimate as speculation unless it appears in court-approved settlement materials.

What is MDL No. 3108?

MDL No. 3108 is the federal multidistrict litigation for Change Healthcare customer data security breach cases. It is centralized in the District of Minnesota for coordinated pretrial proceedings. The MDL includes patient actions and provider actions.

What should I do if I got a Change Healthcare breach letter?

Save the notice, verify the sender, monitor financial and medical accounts, keep receipts and time logs, and document suspicious activity. If you believe identity theft occurred, use official reporting tools and preserve the reports. If you need advice about legal rights or deadlines, speak with a licensed attorney in your state.

Can providers sue Change Healthcare for lost revenue?

Provider actions are part of the MDL. Providers may have different issues than patients. Whether a specific practice, pharmacy, hospital, or other business may bring or join a claim depends on contracts, proof of loss, applicable law, and court rulings.

Conclusion

The safest way to understand the Change Healthcare data breach lawsuit in 2026 is to separate verified court status from speculation. The MDL is active in Minnesota. Patient and provider tracks exist. HHS OCR reports that about 192.7 million individuals were impacted. But no verified court-approved settlement, official claim form, payout amount, or claim deadline exists for the data breach MDL as of June 1, 2026.

Affected people and providers can still act now. Preserve records, watch for fraud or billing errors, use official reporting tools, and get deadline-specific legal screening when needed. To organize your situation before speaking with counsel, start with the Do I Qualify? assessment .

This article is general legal information, not legal advice. Data breach, privacy, business-loss, and filing-deadline issues can vary by state, contract, court ruling, and individual facts. Reading this page does not create an attorney-client relationship. Consult a licensed attorney about your specific claim and any state-specific deadline.