The second-largest health insurance in Massachusetts, Point32Health, has revealed for the first time that a data breach that has plagued the business for weeks resulted in the theft of patient information.
The parent business of Tufts Health Plan and Harvard Pilgrim Health Care announced on Tuesday that it has started notifying members whose information may have been exposed and that cybercriminals had probably copied and stolen data from Harvard Pilgrim’s servers between March 28 and April 17.
What’s in the stolen data?
The stolen information may include names, physical addresses, phone numbers, dates of birth, information about second-largest health insurance accounts, Social Security numbers, and taxpayer identification numbers for current and former subscribers and dependents, as well as current providers. It may also include potentially protected health information. Clinical data, including names of providers, dates of services, diagnoses, and treatments, may also have been affected.
According to a corporate spokeswoman, the investigation and data review procedure are still in progress, therefore it was not yet possible to determine how many people were impacted. It said it had notified regulators of the event but declined to say how many members it had done so. The second-largest health insurance had also informed law enforcement once it discovered the compromise on April 17.
The breach may affect current or former Harvard Pilgrim members who enrolled between March 28, 2012, and the present, including individual and family plans bought directly from the company, state-based exchanges, or plans chosen through employers, as well as service providers currently under contract with Harvard Pilgrim, according to the company’s website. The insurer acknowledged that it also affects members of both its fully insured and self-insured products.
Harvard Pilgrim’s statement
“Harvard Pilgrim is taking this incident extremely seriously and deeply regrets any inconvenience this incident may cause,” the insurer said in a release. “At this point, Harvard Pilgrim is not aware of any misuse of personal information and protected health information as a result of this incident, but nonetheless has begun notifying potentially affected individuals to provide them with more information and resources.”
The business announced that it will provide free identity protection and two years of access to credit monitoring services for anybody who may be impacted, and it has set up a website for those who want to sign up.
The second-largest health insurance also mentioned on the Harvard Pilgrim website that customers may set a free initial or extended “fraud alert” on their credit history, which would force a company to take action to confirm a customer’s identity before issuing new credit.
The insurer’s spokespeople have not confirmed whether the ransom been paid.
The systems that support the commercial and New Hampshire Medicare Advantage Stride plans offered by Harvard Pilgrim were most affected by the outage; Tufts Health and other plans were unaffected.