Point32Health: 2.5 Million Harvard Pilgrim Health Care Members Affected by Ransomware Attack
In April 2023, Point32Health, the second-largest health insurer in Massachusetts and the parent company of Tufts Health Plan and Harvard Pilgrim Health Care, announced it suffered a ransomware attack that resulted in system outages, including the systems that serviced members, accounts, brokers, and providers. The attack was detected on April 17, and systems were rapidly taken offline to contain the breach, although at the time of the announcement it was unclear to what extent, if any, protected health information had been compromised.
Point32Health has provided an update on the incident and said it is likely that the protected health information of current and former members of Harvard Pilgrim Health Care plans was stolen in the attack. Point32Health said the forensic investigation confirmed that systems were breached on March 28, 2023, and the attackers maintained access to its systems until April 17, 2023, when the security breach was discovered. During that time the attackers exfiltrated files from its systems that contained personal and protected health information such as names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information.
Point32Health said some of the affected systems, including those used to service members, brokers, and providers remain offline, including the systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). Point32Health is working with third-party cybersecurity experts and expects to bring those systems back online in the coming weeks. “We are currently going through the internal IT and business validations. Once this process is complete, alongside our thorough security screenings, some of our processes will become available in a phased fashion,” said Point32Health Director of Public Relations, Kathleen Makela.
Point32Health said it has reviewed and enhanced its user access protocols, enhanced vulnerability scanning, identified prioritized IT security improvements, implemented a new Endpoint Detection and Response (EDR) security solution, and performed a password reset for all administrative accounts.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Evidence has been found to indicate the protected health information of current and former health plan subscribers and their dependents has been compromised. Point32Health said it was unaware of any actual or attempted misuse of the affected data at the time of issuing notifications; however, as a precaution against identity theft and fraud, affected individuals have been offered complimentary credit monitoring and identity theft protection services.
The HIPAA Journal has been contacted by one Tufts Health Plan member whose personal information was used to open several fraudulent accounts with major U.S. financial institutions following the data breach. Individuals should therefore take advantage of the credit monitoring services that have been offered and should consider placing a security freeze on their accounts with a national credit reporting agency.
Harvard Pilgrim Health Care has reported the breach to the HHS’ Office for Civil Rights as involving the protected health information of 2,550,922 individuals.
