Point32Health, the second-largest health insurer in Massachusetts, disclosed for the first time that patient information had been stolen during a data breach that has hampered the company for weeks.
The parent company of Tufts Health Plan and Harvard Pilgrim Health Care said on Tuesday that cyber criminals had likely copied and taken data from Harvard Pilgrim’s systems between March 28 and April 17, and that it has begun to notify subscribers their information may have been compromised.
The stolen data may include personal information and potentially protected health information belonging to current and former subscribers and dependents, as well as current providers, including names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, and provider taxpayer identification numbers. Clinical information, such as medical history, diagnoses, treatment, dates of service, and provider names, may also have been compromised.
A company spokesperson said the investigation and data review process is ongoing, and it could not yet say how many people had been affected. It declined to specify how many members it had notified, but noted it had informed regulators of the incident. After it identified the breach on April 17, the insurer had also notified law enforcement.
According to Harvard Pilgrim’s website, the breach may affect current or former members of Harvard Pilgrim who enrolled between March 28, 2012, and the present, including individual and family plans purchased directly from the company, state-based exchanges or plans selected through employers, as well as providers currently contracted with Harvard Pilgrim. It also impacts members in both its fully insured and self-insured products, the insurer confirmed.
“Harvard Pilgrim is taking this incident extremely seriously and deeply regrets any inconvenience this incident may cause,” the insurer said in a release. “At this point, Harvard Pilgrim is not aware of any misuse of personal information and protected health information as a result of this incident, but nonetheless has begun notifying potentially affected individuals to provide them with more information and resources.”
The company said it will offer complimentary identity protection and access to two years of credit monitoring services for potentially affected individuals and has created a website for those wishing to enroll.
On its Harvard Pilgrim website, the insurer also pointed out that consumers could place an initial or extended “fraud alert” on a credit file at no cost, which requires a business to take steps to verify a consumer’s identity before extending new credit.
In ransomware attacks, criminals breach computer networks and lock up digital information until victims pay for its release. In those types of attacks, cyber experts said, criminal organizations will first extract a company’s data and then encrypt access to data and the network. Some groups demand a ransom in exchange for the encryption key. If organizations are prepared to restore systems through uncorrupted backups, criminal groups can threaten to sell the information unless they receive a ransom.
Some criminal enterprises have service support desks that walk people through paying ransoms or implementing the decryption key. Rarely do people get their full data back due to corruption of the data, or the encryption key not working.
Spokespeople for the insurer have not disclosed whether or not it paid the ransom.
The outage largely affected systems that serve Harvard Pilgrim’s commercial and New Hampshire Medicare Advantage Stride plans, and did not affect Tufts Health or other plans.
The insurer said on its website that it has since taken several steps to enhance the organization’s security, including reviewing and enhancing user access protocols, enhancing vulnerability scanning, implementing a new security solution to detect and respond to cyber threats, and conducting password resets for administrative accounts.
Shoring up the organization going forward is critical. Arturo Perez-Reyes of insurance broker Newfront said he has had clients who have purchased coverage get hit with ransomware attacks multiple times from the same cyber criminals, who continue to exploit back doors to the system.
Though some organizations are victims of targeted attacks, most begin by phishing, which prompts employees to click on a malicious link or otherwise impersonates an official person to gain entry into a system’s data.
Though increasingly difficult to prevent, the consequences of not stopping a cyber attack can be long-lasting and expensive. Perez-Reyes noted that the ransom is often the least expensive part of the ordeal, as companies experience financial fallout from service interruptions and face lawsuits filed for privacy breaches.
The financial implications of the breach at Point32 are still unclear, but they have already been long-lasting. For more than a month, the company has struggled to bring its services back online, and still hadn’t restored the Harvard Pilgrim website in full. The insurer cannot process claims or requests for prior authorization. Some members have struggled to access basic cost sharing information, and others say they have been unable to use their insurance at all.
The insurer has instituted a variety of workarounds, including waiving requests for prior authorization for Harvard Pilgrim commercial plans for medical and behavioral health services.
The insurer has told doctors and hospitals that care provided to Harvard Pilgrim customers will be covered. And though the insurer cannot receive, process, or pay for services provided to Harvard Pilgrim commercial members, it has implemented an interim payment process.
Mark McKenna, the chief financial officer for Pediatric Associates of Greater Salem, said his practice usually receives $62,000 a month from Harvard Pilgrim for services, and has had to dip into its reserves to deal with the delay in payments.
“A regular small practice doesn’t have that cushion or availability,” McKenna said. “Even for us, I don’t like to start digging into reserves, but that’s what we’re doing. We’re digging into our reserves in order to pay payroll.”
Though the insurer was offering bridge payments, McKenna said his application was denied, because the insurer is requiring the forms to be submitted by the contracting entity to which a provider belongs. McKenna’s practice is affiliated with Steward Health Care, which so far hasn’t filed anything on behalf of its practices, he said.