The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Major Massachusetts Health Insurer Suffers Ransomware Attack

Posted By on Apr 21, 2023

Point32 Health, the second-largest health insurer in the state of Massachusetts, has announced it has experienced a ransomware attack that has resulted in system outages, including systems that are used to service its members, accounts, brokers, and providers.

Point32 Health is the parent company of Tufts Health Plan and Harvard Pilgrim Health Care and serves more than 2 million individuals in New England. Point32 Health said the outages have mainly affected Harvard Pilgrim Health Care customers, in particular, those with commercial or New Hampshire Medicare plans. Tufts Health Plan members are not understood to have been affected.

Point32 Health said it detected the presence of a malicious actor within its network on April 17, 2023, and took immediate action to contain the threat, which involved taking multiple systems offline while the attack was investigated and remediated. Efforts are underway to restore systems as soon as possible, and the staff and third-party cybersecurity experts are working around the close to bring systems back online.

The attack has caused disruption to providers and members, with some reportedly having experienced problems getting prior authorizations for medical procedures. Point32 Health said any members that require urgent assistance should call the member services number on their ID cards.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

No ransomware gang appears to have claimed responsibility for the attack at this stage; however, ransomware gangs typically provide victims with a few days to pay the ransom before issuing public announcements. If the ransom is not paid, pressure is increased by publishing the stolen data.

At this stage of the investigation, it is unclear to what extent, if any, plan member data is involved or whether there is a HIPAA compliance breach. Point32 Health said that if the investigation confirmed that if personal or protected health information has been exposed or stolen, individual notifications will be mailed to those individuals as soon as possible.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist