Harvard Pilgrim Health Care, a health care company, has revealed that patient information may have been stolen during a ransomware incident earlier this year. The parent company, Point32Health, learned about the incident on April 17 and took systems offline while working to identify the cybersecurity problem. An investigation into the breach showed signs that data was copied and taken from Harvard Pilgrim systems between March 28 and April 17. The company stated that the files at issue may contain personal information and/or protected health information, including names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information. The breach could impact current or former subscribers and dependents, as well as contracted providers.
Dr. Bryan Harnsberger, CEO of Wellesley Counseling & Wellness, said the situation since Harvard Pilgrim’s beach has been “the wild west.” He added that privacy and safety are the two biggest concerns and that it is incredibly disappointing to hear that one of the larger insurance companies is possibly compromised. Kevin Powers, who serves as the director of Boston College’s graduate cyber security programs, said companies like Harvard Pilgrim should be prepared for situations like this. “It’s not a matter of if, it’s a matter of when,” he said.
While Harvard Pilgrim said it is not aware of any misuse of personal information or protected health information as a result of this incident, the company said it has started reaching out to people who have potentially been impacted and offering services such as credit monitoring and identity theft protection. In its statement, Point32 also said law enforcement has been contacted and cybersecurity experts were still reviewing what happened.
Both Harvard Pilgrim and Point32 said they are working to get Harvard Pilgrim systems back running. Harvard Pilgrim is taking steps to implement additional data security enhancements and safeguards to better protect against similar events in the future. A notice of the data breach appeared on Harvard Pilgrim’s website along with a “Thank you for your patience” message.
As patients and providers now wait to see if their personal information was taken, Harnsberger shared his thoughts. “Insurance is supposed to make you feel safe,” he said. “When things like this happen, you don’t get any assurance from insurance.” “[It’s] stressful to say the least, not being able to guarantee that clients are safe in a practice where we put such emphasis on creating a safe and secure place,” Harnsberger continued.
To mitigate the risk of cyberattacks, companies should have robust cybersecurity measures in place. This includes regular software updates, employee training, and implementing multi-factor authentication. Companies should also have a response plan in place in case of a breach.
In conclusion, the Harvard Pilgrim Health Care ransomware incident highlights the importance of cybersecurity in the healthcare industry. Companies must take proactive measures to protect patient information and respond quickly in case of a breach. Patients and providers should remain vigilant and take advantage of services such as credit monitoring and identity theft protection offered by companies in case of a breach.