On the same day in April that the state’s second-largest insurer disclosed it had been hit with a massive ransomware attack, Mark Prince enrolled in one of its health care plans.
In the weeks that followed, Prince and his family lived in a kind of medical purgatory. They were insured by Harvard Pilgrim Health Care starting May 1 but, not having received ID cards, had no way of proving it. Family members were forced to reschedule critical doctor’s appointments; without proof of insurance, he couldn’t complete his children’s enrollment in summer camp.
Ultimately, the father of three from Holliston went back to the Health Connector, where he had purchased the Harvard Pilgrim plan, and demanded that he be allowed to switch, even though it was outside the enrollment window. It cost him an extra $2,000 to join a new plan that included his medical providers.
“Any insurer will proceed quickly to terminate a plan if you’re a minute late with a payment,” said Prince. “But they are a month late in providing access to a new subscriber, and I’m quite sure there are no regulations, no penalties and no consequences for their negligence.”
One month after the ransomware attack, Point32Health, the parent company of Harvard Pilgrim Health Care and Tufts Health Plan, is still struggling to restore service. The insurer says it cannot process claims and requests for prior authorization. Some members say they are unable to access basic information, such as cost sharing for procedures, while others have been unable to access insurance altogether. The outages affect members who get coverage under Harvard Pilgrim Health Care’s commercial plans and New Hampshire Medicare plans; Tufts Health Plan members were not affected.
A spokeswoman said the company is working closely with the connector to identify members who enrolled prior to or since the shutdown, and was issuing temporary cards. She encouraged those who had not yet received insurance cards to call the connector, the state’s online health insurance market.
The insurer has instituted a variety of workarounds to accommodate other technical difficulties, including waiving requests for prior authorization for Harvard Pilgrim commercial plans for medical and behavioral health services. Additionally, the insurer has told doctors and hospitals that care provided to Harvard Pilgrim customers will be covered.
Currently, the insurer cannot receive, process, or pay claims for services provided to Harvard Pilgrim commercial members, so it has implemented an interim payment process. A spokesman with the Massachusetts Medical Society, the state’s largest physician-led organization, said the organization had not heard many concerns from providers, and that a few members had successfully applied for bridge payments.
The insurer said on its website it has a process to send temporary ID cards to new commercial members, and while Harvard Pilgrim’s website was still down, the insurer had restored an abridged version.
“We continue to work with leading third-party cybersecurity experts to investigate the ransomware incident impacting Harvard Pilgrim Health Care systems,” the insurer said in an e-mail Friday. “A number of our core Harvard Pilgrim Health Care systems are expected to come back online over the next several weeks.” It added that some features could become available later this week.
A spokeswoman said that the company was prioritizing restoration of services involving eligibility, enrollment, provider payments, claims processing, and sales.
“We remain committed to bringing systems back online in a careful and thoughtful manner and will only do so when they are designated as ‘safe for use’ after a thorough inspection,” the insurer said.
Another member, who asked to remain anonymous due to the nature of his medical concerns, has had coverage from Harvard Pilgrim Health Care for years, with a member ID and insurance card. However he recently required an MRI to diagnose the cause of his back pain.
In the past, he said, he was unexpectedly charged a copay of more than $1,000 for an MRI, so he called the insurer to find out which locations were in network and what the costs would be. But the insurer couldn’t access any information on copays. Given the back pain, he went ahead with the MRI, though he said he won’t know the cost until he receives an explanation of benefits.
“I was very angry about that circumstance several years ago,” he said. “I was anxious for it not to be repeated. And at this point, I don’t know if it will be.”
In a statement, a spokeswoman for the insurer said members and providers should check their member ID cards for copayment information. Once systems are back online, and claims are processed, copays and deductibles will be applied, she said.
Ransomware attacks are typically twofold, with criminal organizations first extracting a company’s data and then encrypting access to data and the network. Some groups demand a ransom in exchange for the encryption key, or, if organizations are prepared to restore systems through uncorrupted backups, threaten to sell the information unless they receive a ransom.
Spokespeople from the insurer declined to specify whether they had paid a ransom.
Whether victims pay a ransom or not, it isn’t unusual for restoration efforts to take a minimum of three to four weeks after a high impact ransomware attack, said John Riggi, national adviser for cybersecurity and risk for the American Hospital Association, who formerly served as a senior executive in the cyber division of the FBI.
Organizations first need to know how criminals gained access to their systems and close the vulnerability before they can restore systems, Riggi said, and they need to make sure bad actors are no longer in their systems so groups don’t exploit data backups. Each server then has to be methodically restored.
Though federal authorities discourage ransom payments, if victims do end up paying, some criminal enterprises are known to deploy “help desks” to help victims restore services, Riggi said. Even with the encryption key and a criminal organization’s restoration help, the encryption process can corrupt data and rarely is everything recovered.
“We know we have to do our part to prevent these attacks and be in the best position to respond and recover,” Riggi said. “At the same time, we need the government to continue offensive operations of these bad guys. It has to be a combined strategy of defense and offense.”