Cyberattack May Have Compromised Personal Data
A cyberattack on one of the state’s largest health insurance providers may have compromised personal data including addresses, medical history and Social Security numbers, Point32Health announced Tuesday.
The insurance giant, which is the parent company of Harvard Pilgrim Health Care, informed members that an investigation into a ransomware attack it identified last month has now determined that patient information might have been stolen. The insurer first identified the cybersecurity ransomware incident” on April 17.
“Unfortunately, the investigation identified signs that data was copied and taken from our Harvard Pilgrim systems between March 28, 2023, and April 17, 2023,” Harvard Pilgrim Vice President for Privacy and Fraud Prevention and Recovery Christopher Walsh wrote in a message to members on Tuesday.
“We determined that the files at issue may contain personal information and/or protected health information for current and former subscribers and dependents associated with your group health plan,” Walsh wrote. “The investigation revealed that the following information related to your members could potentially be in the files at issue: member names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, and clinical information (e.g., medical history, diagnoses, treatment, dates of service, and provider names).”
“We are not aware of any misuse of personal information or protected health information as a result of this incident,” Walsh added.
In an online FAQ, the insurer said individuals may have been impacted if they were a member of Harvard Pilgrim any time between March 28, 2012 and today. An estimate of the potential number of people affected was not available.
Harvard Pilgrim offered to provide members with two years of complimentary credit monitoring and identity protection services through IDX, though Walsh said the company cannot enroll members itself.
Online capabilities are still limited for Harvard Pilgrim in the wake of the cyberattack, though other systems under the Point32Health umbrella including Tufts Health Plan are accessible.
The News Service asked Point32Health on May 5 if the company considered the incident a data breach and if so, whether state authorities were notified as required. The insurer didn’t say yes or no at the time, and said in a statement that “if during our investigation we determine any individuals’ sensitive information is involved in this incident, we will notify them in accordance with applicable law.”