"Harvard Pilgrim Data Breach Affected Millions, Yet Insurer Struggled to Contact Many Potential Victims For Months"
A ransomware attack and subsequent data breach at Harvard Pilgrim Health Care in April affected over 2.5 million members, but the system outage caused by the ransomware attack has prevented the insurer from directly informing many of the potential victims because the insurer could not access their contact information. Two months after the breach, the insurer is only just beginning to reach out to members directly, but many remain in the dark about whether their personal information was compromised. Harvard Pilgrim, part of health insurer Point32Health, first disclosed in mid-April that it had been the victim of a ransomware attack, affecting the systems it uses to service members, accounts, brokers, and providers. On May 23, the insurer disclosed that patient data had been stolen but declined to publicly say how many members were affected. The next day, however, the insurer informed the US Department of Health and Human Services Office for Civil Rights that millions of people's data potentially had been compromised. Potential victims include those who are or were enrolled in Harvard Pilgrim Commercial or Medicare health plans since March 28, 2012. The data in the accessed files could contain a slew of patient information, including names, addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and medical history such as diagnoses, treatment, dates of service, and provider names. A spokeswoman at Harvard Pilgrim Health Care stated that the system outage has prevented the insurer from contacting members directly "as contact information was not accessible." Harvard Pilgrim has instead sought to inform members through employers, insurance brokers, press releases, and its website, and has made credit monitoring services available through a website for those wishing to enroll. The spokeswoman also said that Harvard Pilgrim began alerting potentially affected members by mail starting June 15. The company noted that it has repaired several functions in the two months since the attack, including the ability to check member eligibility. It also has been issuing temporary member ID cards and distributed payments to providers that had been submitted before the attack. However, Harvard Pilgrim's website and many of its internal functions remain down. The insurer cannot process claims or requests for prior authorization. Some members said they were unable to use their insurance at all. While consumers wait for notification, a class-action lawsuit against the company is moving forward, spearheaded by a woman who said that her credit card was hacked following the cybersecurity breach.