After the ransomware attack, the state’s second-largest health insurer said patient data had been stolen

Point32Health, Massachusetts’ second-largest health insurer, disclosed for the first time that patient information was stolen during a data breach that has crippled the company for weeks.

The parent company of Tufts Health Plan and Harvard Pilgrim Health Care said Tuesday that cybercriminals copied and took data from Harvard Pilgrim’s systems between March 28 and April 17, and that it began notifying subscribers that their information may have been compromised.

The stolen data may include potentially protected personal and health information of current and former subscribers and their dependents, as well as current service providers, including names, physical addresses, telephone numbers, dates of birth, health insurance account information, Social Security numbers, and service provider taxpayer identification numbers. Clinical information, such as medical history, diagnoses, treatment, service histories, and names of providers, may also have been compromised.

A company spokesperson said the process of investigation and data review is ongoing, and it can’t yet say how many people have been affected. She declined to say how many members she had informed, but indicated that she had informed the organizers of the incident. Having identified the breach on April 17, the insurance company also notified law enforcement.

According to Harvard Pilgrim website, the violation may affect current or former members of the Harvard Pilgrim who enrolled between March 28, 2012, and the present time, including individual and family plans purchased directly from the Company, exchanges, or select government plans through employers, as well as currently contracted service providers With Harvard Pilgrim. The insurer confirmed that it also affects members on both its fully insured and self-insured products.

“Harvard Pilgrim takes this incident very seriously and deeply regrets any inconvenience this incident may cause,” the insurance company said in a statement. “At this point, the Harvard Pilgrim is not aware of any misuse of personal information and protected health information as a result of this incident, but has nonetheless begun notifying potentially affected individuals to provide them with further information and resources.”

The company said it would provide free identity protection and access to credit monitoring services for two years to potentially affected individuals website For those wishing to register.

On the Harvard Pilgrim website, the insurance company also notes that consumers can place an initial or extended “fraud alert” on a credit file at no cost, which requires the company to take steps to verify a consumer’s identity before offering new credit.

In ransomware attacks, criminals breach computer networks and seize digital information until victims pay to unlock it. Cyber ​​experts said that in these types of attacks, criminal organizations will first mine corporate data and then encrypt access to the data and the network. Some groups demand a ransom in exchange for the encryption key. If organizations are willing to restore systems through undamaged backups, criminal groups can threaten to sell the information unless they get a ransom.

Some criminal enterprises have back-office services that trick people into paying the ransom or executing a decryption key. People rarely recover their complete data because the data is corrupted, or the encryption key is not working.

Spokesmen for the insurance company did not disclose whether or not the ransom was paid.

The outage largely affected systems serving Harvard Pilgrim Business Plans and New Hampshire Medicare Advantage Stride, and did not affect Tufts Health or other plans.

The insurance company said on its website that it has since taken several steps to enhance the organization’s security, including reviewing and strengthening user access protocols, enhancing vulnerability scanning, implementing a new security solution to detect and respond to cyber threats, and performing password resets for administrators. accounts.

Supporting the organization moving forward is critical. Arturo Perez Reyes An insurance broker from Newfront said he has clients who have purchased coverage You get ransomware attacks many times from the same cyber criminals who keep exploiting the backdoors of the system.

Although some organizations fall victim to targeted attacks, most start with phishing, which causes employees to click a malicious link or impersonate an official person to gain access to system data.

Although it is increasingly difficult to prevent, the consequences of not stopping a cyberattack can be long lasting and costly. Perez-Reyes noted that ransomware is often the least expensive part of the ordeal, as companies face financial repercussions from outages and face lawsuits over privacy violations.

The financial implications of the Point32 breach are still unclear, but they are indeed long-term. For more than a month, the company has struggled to get its services back online, and it still hasn’t fully restored the Harvard Pilgrim website. The insurance company cannot process claims or requests for prior authorization. Some members struggled to access basic cost-sharing information, and others say they were unable to use their insurance at all.

The insurance company has developed a variety of solutions, including a waiver of prior authorization requests for Harvard Pilgrim’s business plans for medical and behavioral health services.

The insurance company has informed doctors and hospitals that care for Harvard Pilgrim clients will be covered. And although the insurance company cannot receive, process, or pay for services to Harvard Pilgrim business members, it has implemented a temporary payment process.

Mark McKenna, CFO of Pediatric Associates of Greater Salem, said his practice typically gets $62,000 a month from the Harvard Pilgrim for services, and has had to dip into its reserves to deal with delays in payments.

“A small, regular practice doesn’t have that protection or availability,” McKenna said. “Even for us, I don’t like to start digging into reserves, but that’s what we do. We dig into our reserves in order to pay salaries.”

Although the insurance company was offering bridging payments, McKenna said his request was denied, because the insurance company requires forms that must be submitted by the contracting entity to which the provider belongs. He said McKenna’s practice is connected to Steward Health Care, which has not yet filed anything on behalf of its practice.

Jessica Bartlett can be reached at [email protected]. Follow her on Twitter @employee.