Point32Health, the parent organization of Harvard Pilgrim Health Care and other insurance plans, announced that data was copied and taken from the healthcare payer's systems during a cyber breach that occurred between March 28 and April 17.
WHY IT MATTERS
HPHC, which has members in Massachusetts, New Hampshire, Maine and Connecticut, determined that the copied files may contain personally identifiable information and/or protected health information belonging to current and former subscribers and dependents, as well as contracted providers.
The stolen data includes names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers and clinical information, according to an announcement this week.
HPHC noted in the statement that the PHI could include medical history, diagnoses, treatment, dates of service and provider names.
The health insurer said it has contracted with Beaverton, Oregon-based IDX, a breach response company, to field calls from concerned HPHC members and former members to determine if their data may have been affected and then enroll affected individuals for two years of identity theft monitoring and up to $1 million in theft recovery.
The day after it confirmed that patient data had been exfiltrated, HPHC also posted a systems update about security updates to its website.
HPHC says it is implementing endpoint security to improve cyber threat response, enhancing vulnerability scanning and identifying and prioritizing IT Security improvements.
THE LARGER TREND
After first discovering the unauthorized access, Point32Health said it quickly took HPHC systems offline to contain the ransomware threat, but some damage had already been done.
Initially, disruptions to care were being reported as providers and pharmacies may be concerned about a member's covered services and medications and the insurer was in the midst of state employee open enrollment.
HPHC waived prior authorization requirements with some exceptions, like solid organ transplants, and its website provided FAQs that noted impacts to operations including electronic payments.
The insurer said it was working with OptumRx on approving prescriptions for new member enrollments that were in process when systems went down.
HPHC filed with the state of Maine that 75,534 of its residents that had health coverage as of December 2022 had been affected by the breach.
As far as service disruptions, HPHC told the Portland Press Herald by email on May 24 that it is still working to restore its systems.
The company is still going through internal IT and business validations, according to the story.
"Once this process is complete, alongside our thorough security screenings, some of our processes will become available in a phased fashion," Kathleen Makela, the company spokesperson, said.
ON THE RECORD
"At this point, Harvard Pilgrim is not aware of any misuse of personal information and protected health information as a result of this incident, but nonetheless has begun notifying potentially affected individuals to provide them with more information and resources."
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.