Major Massachusetts Health Insurer Data Breach
Friday, 26 May 2023
The second largest health insurer in Massachusetts has been hit by a ransomware attack that has compromised sensitive company information as well as the health information of both current and former patients. Exfiltrated data includes names, birthdates, Social Security numbers, medical history, treatment dates, diagnoses, and provider names for both current and former patients.
Point32Health said in a statement on Tuesday that a "cybersecurity ransomware incident" had affected its Harvard Pilgrim Health Care program, which was detected on April 17th. An investigation that lasted over a month has revealed that the hackers had access to the systems between March 28th and April 17th, during which time sensitive information was compromised. It is unclear at this stage whether or not the ransom has been paid.
"We are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation," Point32Health continued in the statement, adding that Harvard Pilgrim is taking steps to bolster its cybersecurity. Company spokesperson Kathleen Makela mentioned that the company would be notifying those whose information may have been affected, and that the incident has been referred to the FBI.
According to the Harvard Pilgrim Health Care website, the company services more than 1.1 million customers across Massachusetts, New Hampshire, Maine and Connecticut. The Harvard Pilgram systems used to service members, brokers and providers were all affected, with some functionality still remaining offline to this day.
Makela reassured customers that the services were expected to be restored in the coming weeks. "We are currently going through the internal IT and business validations. Once this process is complete, alongside our thorough security screenings, some of our processes will become available in a phased fashion."
"At this point, Harvard Pilgrim is not aware of any misuse of personal information and protected health information as a result of this incident, but nonetheless has begun notifying potentially affected individuals to provide them with more information and resources," said Harvard Pilgrim.
