scorecardresearch Skip to main content

Insurance regulators examine Point32Health data breach

Massachusetts insurance regulators have opened an examination into a cyberattack on one of the state’s largest health insurance providers.

The Division of Insurance is monitoring the Point32Health data breach, which may have compromised personal data including addresses, medical history, and Social Security numbers of current and former Harvard Pilgrim Health Care policyholders, according to Executive Office of Housing and Economic Development spokesperson Margaret Quackenbush.

The insurance giant, which is the parent company of Harvard Pilgrim, informed members last week that an investigation into a ransomware attack it identified last month has now determined that patient information might have been stolen.


In addition to the examination into how the data breach could affect the company, health care providers, and members who use the insurance, the state insurance division has been in contact with Point32Health to provide consumers and providers with resources to address negative effects on credit or other financial consequences of the breach, Quackenbush said. State regulators are required to monitor the solvency and market conduct of insurers, and officials want to ensure that the situation is being properly addressed because a data breach could affect the financial condition of an insurer, and consequently consumers and providers.

Quackenbush did not provide a copy of the notice the Division of Insurance sent to Point32Health regarding the examination, suggesting a public records request was needed first.

According to the state Office of Consumer Affairs and Business Regulation, a business must notify that office, the attorney general’s office, and affected consumers “within a reasonable amount of time after either the discovery of a breach or knowledge that personal information was obtained.”

However, Quackenbush said Point32Health had not yet sent the consumer affairs office written notice of the breach. The company first identified the cyberattack on April 17 and announced on Tuesday that patient information might have been “copied and taken” from Harvard Pilgrim systems between March 28 and April 17.


According to the state, the notification must include the number of Massachusetts residents affected as of the time of notification, information regarding whether law enforcement is engaged investigating the incident, and a “detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information,” among other things.

Through Point32Health has not sent official notice of the incident, the company has been in touch with Office of Consumer Affairs and Business Regulation to inform the it that it is conducting an internal investigation into what data was breached and whether it contained personal health information, Quackenbush said.

When asked to share any formal notification to state authorities about the breach, Harvard Pilgrim spokesperson Kathleen Makela said in an e-mail Thursday that the insurer “conveyed to them the same information that is available on our website.”

The insurer also declined to offer an estimate of the number of people potentially affected by its breach. Makela said the insurer was “notifying individuals whose information may have been involved in the incident” and notifying them “through their employers, website, and through media coverage.”

“In the coming weeks we will also start to mail notices for those individuals for whom we have valid mailing addresses,” Makela wrote to the News Service.

Point32Health informed the Office of Consumer Affairs and Business Regulation that it hired a third party to handle consumer inquiries about the breach, according to Quackenbush, and are offering credit monitoring services through IDX. The insurance giant is also working with an outside firm on security enhancements.


Alison Kuznitz contributed to this report.