In April 2023, Point32Health, the second-largest health insurer in Massachusetts and the parent company of Tufts Health Plan and Harvard Pilgrim Health Care, announced it suffered a ransomware attack that resulted in system outages, including the systems that serviced members, accounts, brokers, and providers. The attack was detected on April 17, and systems were rapidly taken offline to contain the breach, although at the time of the announcement it was unclear to what extent, if any, protected health information had been compromised.
Point32Health has provided an update on the incident and said it is likely that the protected health information of current and former members of Harvard Pilgrim Health Care plans was stolen in the attack. Point32Health said the forensic investigation confirmed that systems were breached on March 28, 2023, and the attackers maintained access to its systems until April 17, 2023, when the security breach was discovered. During that time the attackers exfiltrated files from its systems that contained personal and protected health information such as names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information.
Point32Health said some of the affected systems, including those used to service members, brokers, and providers remain offline, including the systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). Point32Health is working with third-party cybersecurity experts and expects to bring those systems back online in the coming weeks. “We are currently going through the internal IT and business validations. Once this process is complete, alongside our thorough security screenings, some of our processes will become available in a phased fashion,” said Point32Health Director of Public Relations, Kathleen Makela.
Point32Health said it has reviewed and enhanced its user access protocols, enhanced vulnerability scanning, identified prioritized IT security improvements, implemented a new Endpoint Detection and Response (EDR) security solution, and performed a password reset for all administrative accounts.
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
Evidence has been found to indicate the protected health information of current and former health plan subscribers and their dependents has been compromised, but no reports have been received to date to indicate any misuse of the affected data; however, as a precaution against identity theft and fraud, affected individuals are being offered complimentary credit monitoring and identity theft protection services.
Point32Health and its subsidiaries serve more than 2 million individuals in New England, but it is unclear how many of those individuals have been affected.
Click Here For The Original Source.
————————————————————————————-