Point32Health, Massachusetts’ second-largest health insurer, has revealed for the first time that patient information was stolen in a data breach that plagued the company for weeks.
The parent company of Tufts Health Plan and Harvard Pilgrim Health Care said Tuesday that cybercriminals likely copied and took data from Harvard Pilgrim’s systems between March 28 and April 17, and it began notifying subscribers that their information may have been compromised.
Stolen data may include personal information and potentially protected health information belonging to current and former subscribers and dependents, as well as current providers, including names, physical addresses, phone numbers, dates of birth, provider health insurance account information, social security numbers, and tax identification numbers. Clinical information, such as medical history, diagnoses, treatments, dates of service, and names of providers, may also have been compromised.
A company spokesperson said the investigation and data review process was ongoing and it could not yet say how many people had been affected. He declined to specify how many members he had notified, but noted that he had informed regulators of the incident. After identifying the breach on April 17, the insurer also notified the police.
According to Harvard Pilgrim’s website, the violation may affect current or former Harvard Pilgrim members who enrolled between March 28, 2012 and present, including individual and family plans purchased directly from the company, exchanges based on State or plans selected by employers, as well as providers currently under contract with Harvard Pilgrim. It also impacts members in its fully insured and self-insured products, the insurer confirmed.
“Harvard Pilgrim takes this incident very seriously and deeply regrets any inconvenience this incident may cause,” the insurer said in a statement. “At this time, Harvard Pilgrim is not aware of any misuse of personal information and protected health information as a result of this incident, but has nonetheless begun notifying potentially affected individuals to provide them with more information and resources.”
The company said it will offer free identity protection and access to two years of credit monitoring services for those potentially affected and has set up a website for those who want to sign up.
On its Harvard Pilgrim website, the insurer also pointed out that consumers can place an initial or extended “fraud alert” on a credit report at no cost, which requires a company to take steps to verify the identity of the insurer. a consumer before granting new credit.
In ransomware attacks, criminals break into computer networks and lock down digital information until victims pay for it. In these types of attacks, cyber experts said, criminal organizations first extract a company’s data and then encrypt access to the data and network. Some groups demand a ransom in exchange for the encryption key. If organizations are willing to restore systems via uncorrupted backups, criminal groups can threaten to sell the information unless they receive a ransom.
Some criminal enterprises have help desks that guide people through paying ransoms or implementing the decryption key. It is rare that people recover their complete data due to data corruption or encryption key not working.
Spokespersons for the insurer did not disclose whether or not it paid the ransom.
The outage largely affected systems that serve Harvard Pilgrim’s commercial and New Hampshire Medicare Advantage Stride plans, and did not affect Tufts Health or other plans.
The insurer said on its website that it has since taken several steps to improve the organization’s security, including reviewing and improving user access protocols, improving vulnerability scanning, implemented a new security solution to detect and respond to cyber threats and by performing password resets for administrators. accounts.
Strengthening the organization in the future is essential. Newfront insurance broker Arturo Perez-Reyes said he had clients who bought cover being hit multiple times by ransomware attacks from the same cyber criminals, who continue to exploit system backdoors.
Although some organizations fall victim to targeted attacks, most start with phishing, which tricks employees into clicking on a malicious link or impersonating an official person to gain access to data on a system.
Although increasingly difficult to prevent, the consequences of not stopping a cyberattack can be long-lasting and costly. Perez-Reyes noted that the ransom is often the cheapest part of the ordeal, as companies suffer the financial fallout from service disruptions and face lawsuits over privacy breaches.
The financial implications of Point32’s breach are still unclear, but they have already gone on for a long time. For more than a month, the company struggled to get its services back online and still hadn’t fully restored the Harvard Pilgrim website. The insurer cannot process claims or requests for prior authorization. Some members have struggled to access basic cost-sharing information, and others say they have not been able to use their insurance at all.
The insurer has implemented various workarounds, including waiving prior authorization requests for Harvard Pilgrim’s commercial plans for medical and behavioral health services.
The insurer has told doctors and hospitals that care provided to Harvard Pilgrim clients will be covered. And while the insurer cannot receive, process, or pay for services provided to Harvard Pilgrim Commercial Members, it has implemented an interim payment process.
Mark McKenna, chief financial officer of Pediatric Associates of Greater Salem, said his practice typically receives $62,000 a month from Harvard Pilgrim for its services and has had to dip into its reserves to deal with the delay in payments.
“A small regular practice doesn’t have that cushion or availability,” McKenna said. “Even for us, I don’t like to start digging into the reserves, but that’s what we do. We draw on our reserves to pay the payroll.
Although the insurer was offering interim payments, McKenna said her claim was denied because the insurer requires forms to be submitted by the procuring entity to which a supplier belongs. McKenna’s practice is affiliated with Steward Health Care, which so far has not filed anything on behalf of its practices, he said.
Jessica Bartlett can be contacted at jessica.bartlett@globe.com. Follow her on Twitter @ByJessBartlett.