The cybercriminals who invaded the systems of health insurer Harvard Pilgrim between March 28 and April 17 likely stole patient data, the insurer’s parent company has announced.
The insurer, which has been struggling for weeks because of the ransomware attack, has assured doctors and hospitals that care provided to Harvard Pilgrim customers will be covered.
But this week’s revelation from parent company Point32Health raised a new fear: identity theft. The information stolen from Harvard Pilgrim’s system could include everything from patients’ names, addresses, and Social Security numbers to data on their medical histories, diagnoses, and treatments, company officials said.
The breach may affect current or former members who enrolled between March 28, 2012, and the present. Harvard Pilgrim said it has begun to notify “potentially affected individuals” that their information may have been compromised. A company spokesperson declined to say how many members it had notified and said the company could not yet say how many people were affected.
What can those whose data has been stolen do? Here is what the company is suggesting:
Sign up for the free identity theft protection
Harvard Pilgrim said it will offer free access to two years of identity theft protection and credit monitoring services for potentially affected people. It has created a website for those wishing to enroll.
The services are offered by IDX, a digital privacy and data breach services company.
The Harvard Pilgrim website said the company was “not aware of any misuse of personal information and protected health information as a result of the incident” but was acting out of “an abundance of caution.”
Call if you have any questions
The company said it had set up a call center so people can ask questions and enroll in the identity protection and credit monitoring services. The number is 888-220-5517 and it will be staffed Monday through Friday from 9 a.m. to 9 p.m., except for holidays, the company said. (People with questions unrelated to the incident can still call the number on the back of their member cards).
Take steps to protect your credit
The insurer also pointed out general steps that people can take to protect themselves. One is to request the free credit report they are entitled to under federal law each year from the three major credit reporting bureaus: Equifax, Experian, and TransUnion.
Another step is to place an initial or extended “fraud alert” on a credit file at no cost. That requires a business to take steps to verify a consumer’s identity before extending new credit.
An alternative, the insurer said, is a “credit freeze,” which will prohibit a credit bureau from releasing information in the credit file without the consumer’s authorization.
The insurer also recommended that people “remain vigilant, monitor, and review their financial and account statements and explanations of benefits, and report any unusual activity to the institution that issued the record and to law enforcement.”
IDX recommended that people carefully review their credit reports. “Look for accounts you did not open. Look for inquiries from creditors that you did not initiate. Look for personal information, such as home address, employment or Social Security numbers, that are not accurate. If you see anything you do not understand, call the credit reporting bureau at the telephone number on the report,” the company suggested.
For more information, IDX suggested, people can contact the Federal Trade Commission at 1-877-438-4338. The FTC website also contains information on identity theft.
Martin Finucane can be reached at firstname.lastname@example.org. Jessica Bartlett can be reached at email@example.com. Follow her on Twitter @ByJessBartlett.