A crippling cyberattack at the state’s second-largest insurer not only interrupted operations for months but also pummeled the insurer’s financials.
For the six months ending in June, Point32Health reported a $102.7 million operating loss on $4.8 billion in revenue. Those results compare with a $25.8 million operating loss on $4.9 billion in revenue in the same period the previous year. The most recent earnings capture nearly the full timespan of the ransomware attack and cybersecurity breach that hamstrung operations at one of Point32′s insurers, Harvard Pilgrim Health Care, from mid-April through much of July.
Scott Walker, chief financial officer at Point32Health, attributed the loss largely to the cyber incident, which he called “transient and one time in nature,” in a statement. He added that the company remained on solid financial footing and that he was confident in its strategic direction.
Point32Health did not release details of its costs and has never said whether the organization paid the ransom to restore its data. However, it noted that the company did face a financial impact from responding to the incident, restoring operations, and hiring third-party experts.
Contributing to higher costs was the interest the insurer said it would pay on claims that had been delayed due to the attack. Patrick Cahill, president of commercial markets for Point32Health, said the company was paying 1.5 percent in interest a month. Claims repayment began in May and, by August, the company had worked through a backlog of over a million transactions.
The insurer may have also paid more in claims than it normally would have because it eliminated prior authorization requests for services from mid-April through late July. That means it likely covered services it might have otherwise denied. A spokesperson said the insurer was still evaluating the impact of that decision.
The cyberattack forced the insurer to take systems associated with Harvard Pilgrim offline for weeks and then reestablish connections with its vendors and partners.
The extended timing of the shutdown was because the insurer needed to restore systems in a certain order. For example, it needed to make sure that when member cards are issued, they are connected to an assigned member ID number. Both things need to function properly before the patient’s provider can check eligibility and benefits and ultimately submit a claim.
Though the insurer had resumed normal operations by late July, costs from the breach will likely continue to add up. The protected health information of over 2.5 million people may have been accessed, and the insurer has committed to paying for two years of credit monitoring for those who sign up for it.
There may also be costs related to ongoing litigation.
While the insurer experienced challenges related to the breach, it wasn’t the only insurer to report financial struggles during the first half of the year. Blue Cross Blue Shield of Massachusetts reported a $75.6 million operating loss on $4.62 billion in revenue, which the insurer said was related to more large-dollar claims and an increase in pharmacy spending, in part due to the use of high-cost weight loss drugs.