Major Massachusetts Health Insurer Suffers Ransomware Attack
Point32 Health, the second-largest health insurer in the state of Massachusetts, has announced it has experienced a ransomware attack that has resulted in system outages, including systems that are used to service its members, accounts, brokers, and providers.
Point32 Health is the parent company of Tufts Health Plan and Harvard Pilgrim Health Care and serves more than 2 million individuals in New England. Point32 Health said the outages have mainly affected Harvard Pilgrim Health Care customers, in particular, those with commercial or New Hampshire Medicare plans. Tufts Health Plan members are not understood to have been affected.
Point32 Health said it detected the presence of a malicious actor within its network on April 17, 2023, and took immediate action to contain the threat, which involved taking multiple systems offline while the attack was investigated and remediated. Efforts are underway to restore systems as soon as possible, and the staff and third-party cybersecurity experts are working around the close to bring systems back online.
The attack has caused disruption to providers and members, with some reportedly having experienced problems getting prior authorizations for medical procedures. Point32 Health said any members that require urgent assistance should call the member services number on their ID cards.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
No ransomware gang appears to have claimed responsibility for the attack at this stage; however, ransomware gangs typically provide victims with a few days to pay the ransom before issuing public announcements. If the ransom is not paid, pressure is increased by publishing the stolen data.
At this stage of the investigation, it is unclear to what extent, if any, plan member data is involved or whether there is a HIPAA compliance breach. Point32 Health said that if the investigation confirmed that if personal or protected health information has been exposed or stolen, individual notifications will be mailed to those individuals as soon as possible.