A ransomware attack and subsequent data breach at Harvard Pilgrim Health Care in April affected over 2.5 million members, but the system outage caused by the ransomware attack has prevented the insurer from directly informing many of the potential victims, because the insurer could not access their contact information.
Two months later, the insurer is only just beginning to reach out to members directly, but many remain in the dark about whether their personal information was compromised.
The breach of confidential patient medical records, and the lack of communication about it, has prompted outcry from many members. A class action lawsuit has been filed, accusing the insurer of failing to protect health information as well as failing to promptly notify members of the breach.
“There was no correspondence, and there still hasn’t been,” said Mark Dagostino, a writer and Harvard Pilgrim customer from Stratham, N.H. “I’ve never seen this happen with any company, nonetheless something as important as people’s health insurance. I’m shocked.”
Harvard Pilgrim, part of the state’s second-largest health insurer Point32Health, first disclosed in mid-April that it had been the victim of a ransomware attack, affecting the systems it uses to service members, accounts, brokers, and providers. On May 23, the insurer disclosed that patient data had been stolen, but declined to publicly say how many members were affected.
The next day, however, the insurer informed the US Department of Health and Human Services Office for Civil Rights that millions of people’s data potentially had been compromised. A spokeswoman for the insurer confirmed the figure. In all, potential victims include those who are or were enrolled in Harvard Pilgrim Commercial or Medicare health plans since March 28, 2012.
The data in the accessed files could contain a slew of patient information, the spokeswoman said, including names, addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and medical history — such as diagnoses, treatment, dates of service, and provider names.
The system outage has prevented the insurer from contacting members directly, “as contact information was not accessible,” the spokeswoman said.
Harvard Pilgrim has instead sought to inform members through employers, insurance brokers, press releases, and its website, and has made credit monitoring services available through a website for those wishing to enroll.
The spokeswoman also said that Harvard Pilgrim began alerting potentially affected members by mail starting June 15.
The insurer said it has repaired several functions in the two months since the attack, including the ability to check member eligibility. It also has been issuing temporary member ID cards, and distributed payments to providers that had been submitted before the attack.
However, Harvard Pilgrim’s website and many of its internal functions remain down. The insurer cannot process claims or requests for prior authorization. Some members said they were unable to use their insurance at all.
Josh Golin, of Watertown, said he spent hours on the phone with the insurer trying to get the authorizations and referrals for his 14-year-old daughter to see an allergist, and struggled for days to get answers. Even though Harvard Pilgrim has decided to waive such requirements for now, he worries the insurer will change the rules overnight, leaving him responsible for a large bill.
He remains concerned that his family’s data was affected in the breach. Beyond getting a notice from his employer that the insurer had been targeted in a ransomware attack, he hasn’t heard anything else from the company.
“It’s disconcerting the way they’ve responded,” he said.
A spokesperson for the Massachusetts attorney general’s office said that the office would look into the circumstances that led to the breach and the company’s response.
While consumers wait for notification, a class-action lawsuit against the company is moving forward, spearheaded by a woman who said that her credit card was hacked following the cybersecurity breach.
Attorneys representing the woman did not respond to requests for comment. However, in a filing submitted in US District Court in Massachusetts on June 2, New Hampshire resident Kelli Mackey said her employer informed her about the hack on May 26.
Mackey wasn’t able to sign up for credit monitoring services right away because of the Memorial Day weekend. In the meantime, Mackey said, $250 of fraudulent charges were made to her credit card.
Beyond faulting the company for its security measures, the lawsuit criticizes the company for the delay in informing members of the breach, noting that the insurer and its parent company discovered the breach in mid-April, but did not notify Mackey’s employer until late May.
The parties have requested damages, free credit-monitoring to class members indefinitely, and that the company strengthen its data security systems and monitoring procedures, while also submitting to annual audits.
Point32 declined to comment on the lawsuit.