New England Health Insurer Still Dealing With Ransomware Attack

May 24, 2023

Point32Health, the parent company of Tufts Health Plan and Harvard Pilgrim Health Care, is still dealing with a ransomware attack it first reported on April 17. The company has now disclosed that patient information has been stolen.

The Massachusetts-based health insurer said the cyber attack has affected systems it uses to service members, accounts, brokers and providers in support of its Harvard Pilgrim Health Care commercial and Medicare Advantage Stride plans.

Currently Tufts Health Plan, Tufts Medicare Preferred, Tufts Health Public Plans and CarePartners of Connecticut systems remain unaffected and accessible.

Point32Health has been notifying subscribers that their information may have been compromised. The stolen data may include personal information and potentially protected health information belonging to current and former subscribers and dependents, as well as current providers, including names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, and provider taxpayer identification numbers.

Clinical information, such as medical history, diagnoses, treatment, dates of service, and provider names, may also have been compromised, the company said.

The data was copied and taken between March 28 and April 17.

Changing Cyber Landscape Poses Challenges For Health-Care Market

The company said it is not aware of any misuse of personal information and protected health information as a result of the incident. Harvard Pilgrim is offering complimentary access to two years of credit monitoring and identity theft protection services through IDX.

The company has notified law enforcement and regulators and said it is working with third-party cybersecurity experts to investigate and remediate the situation. It has also taken steps to strengthen the cyber security of its organization and data.

As a result of the attack, the company has been unable to accept claim submissions for Harvard Pilgrim Commercial members, and has requested providers hold these submissions until further notice. It is accepting claims for Harvard Pilgrim Medicare Advantage Stride members and all Tufts Health Plan members, including Tufts Health Commercial Plans, Tufts Health Plan Senior Products, and Tufts Health Public Plans.

Providers did not receive payment on April 21 and April 28 for services rendered to Harvard Pilgrim Health Care commercial members due to the cybersecurity ransomware incident.

Harvard Pilgrim Health Care commercial and Medicare Advantage Stride plans have waived utilization management requirements, including prior authorization and notification, for a number of medical and behavioral health covered services.

Cyberattack on Boston Labor Union Health Fund Results in $6.4M Loss

“It’s important to continue to care for members. Even if you are not able to ascertain copay amounts or confirm eligibility, it’s important to continue to ensure that patients can obtain health care,” the company told providers.

The non-profit health services company based in Canton, Massachusetts serves the New England states. It is the second largest health insurer in Massachusetts.