The state’s second-largest insurer suffered large technical outages due to a cybersecurity ransomware incident.
Point32Health, the parent company for Tufts Health Plan and Harvard Pilgrim Health Care, said in a memo on its website that it identified a ransomware incident on Monday, affecting the systems it uses to service members, accounts, brokers and providers. A spokesman for the insurer said the outages were mainly affecting members covered under Harvard Pilgrim Health Care’s commercial plans and New Hampshire Medicare plans, though it was not impacting those on the Tufts Health Plan.
“After detecting the unauthorized party, and out of an abundance of caution, we proactively took certain systems offline to contain the threat,” the insurer said in the statement. “We have notified law enforcement and regulators, and are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.”
On Tuesday, the insurer’s website was down for a time. Some members who tried calling their insurer said they also experienced technical difficulties.
The insurer said it was working around the clock to restore impacted systems quickly and urged members with urgent needs to call the member services number on their ID cards. While Point32′s website appeared to be functioning Wednesday, Harvard Pilgrim’s website still appeared to be down.
In the memo, executives said they were still determining if sensitive information from members was involved in the incident, and said the insurer would notify those affected if so.
One member, who asked to remain anonymous due to privacy concerns, said his doctor had been struggling since Thursday to get him a prior authorization request from Harvard Pilgrim Health Care for a medical procedure. Without approval from his insurer, the procedure could be cancelled, or he would face a larger bill.
He tried calling the insurer himself but was unable to get through on Monday because of the holiday or on Tuesday, when a message on the main number still said the insurer was closed. Ultimately, the member connected with his insurer on Wednesday morning and was able to receive a phone number for his physician to call.
Professor Kevin Powers, who heads up the cybersecurity graduate programs at Boston College, said health care businesses — from hospitals to health insurers — have increasingly become a target for cybercriminals.
“Think about all the sensitive data they have and information,” Powers said. “They will have personally identifiable info, sensitive health care info, financial info, insurance info. When you think of that alone, that is a key target.”
While Powers didn’t have details on what the Point32 attack included, typically in a ransomware attack criminals encrypt an organization’s data and shut down operations, offering access to the encryption key in exchange for a ransom. While organizations can choose to pay the ransom, law enforcement typically does not advise organizations to do so, as it typically doesn’t guarantee you will get all your data back or protect information that has already been stolen.
No case is the same, but typically incident response teams at different organizations will assess the scale of the breach and make a determination on the best way to contain it, Powers said.
Massachusetts health care facilities have encountered several cyberattacks in recent years. In 2020, several hospitals in Massachusetts either shut down email systems or installed more aggressive email filters after federal officials warned of phishing emails that had sought to send malware to health care executives.
In 2021, a hacker group sponsored by the Iranian government attempted a cyberattack aimed at Boston Children’s Hospital. And in 2022, hospitals were put on high alert for cybersecurity threats from Russia that stemmed from the war in Ukraine.
Powers said health care systems are investing in cybersecurity not only because of the risks to critical infrastructure, but because regulatory agencies have also strengthened what companies must do for protection.
Yet protecting from such threats is complicated, and cybercriminals sometimes have a wealth of resources at their disposal.
“Cybercriminals only have to be right once,” Powers said. “And sometimes they are working for nation states, so they have the resources a nationstate would…how could you expect a hospital to defend against that type of attack?”