Harvard Pilgrim Health Care is facing at least four federal proposed class action lawsuits stemming from an April ransomware attack and data breach.
It’s been a dizzying eight weeks since the second largest health insurer in Massachusetts discovered the cybersecurity incident. And the company has still not restored its full network capacity. Point32Health, the parent company of Harvard Pilgrim Health Care (HPHC), said it identified the attack on April 17 and took some systems offline right away to contain the threat.
Ransomware Attack Leads to Confusion
According to HPHC’s data breach notice hackers entered its network and,
“Unfortunately, the investigation identified signs that data was copied and taken from our Harvard Pilgrim systems from March 28, 2023, to April 17, 2023.”
More than 2.5 million plan members who had registered over the past 11 years were affected. The stolen files contained protected health information (PHI) and personal information “for current and former subscribers and dependents, and current contracted providers.”
The information included names, birthdates, phone numbers, addresses, Social Security numbers, health insurance account details, provider taxpayer identification numbers, and clinical data.
System outages continue to plague HPHC as they work to restore full service. On June 15 a note on its website states:
“Harvard Pilgrim Health Care system outage
Thank you for your patience while we work to restore full Harvard Pilgrim Health Care business operations. We appreciate your support and understanding.”
The investigation continues, and there appears to be some confusion among the provider partners and health plan members. The following status update message is posted on the Point32Health website today:
“Point32Health has communicated to our provider partners that they should continue providing care to Harvard Pilgrim Health Care members during this ongoing incident and services will be covered.”
Lawsuits Claim Negligence
The four proposed class action lawsuits make similar claims and ask for similar relief. Their claims include negligence, breach of implied contract, breach of fiduciary duty and unjust enrichment for failing to protect personal information against cyberattacks.
They also allege that those affected by the incident face the risk of identity theft and fraud crimes.
One complaint filed by a HPHC plan member states:
“Defendants’ failure to timely detect and report the data breach made their customers vulnerable to identity theft without any warnings to monitor their financial accounts or credit reports to prevent unauthorized use of their sensitive information,”
In another lawsuit the plaintiff alleges that HPHC “intentionally, willfully, recklessly, or negligently” failed to ensure that personal health and identification information was secure and that the company did not take the appropriate steps to prevent data breaches.
In its last public update about the incident, Point32Health said it was already taking steps to “further enhance the security of our organization and the data entrusted to us.”
HIPAA Compliance Questions are Next
In addition to the lawsuits, Point32Health and HPHC will face a HIPAA investigation by the Office for Civil Rights (OCR) which investigates all breaches affecting 500 or more. OCR will evaluate the company’s HIPAA policies and risk analysis/risk management procedures.
Although the cybersecurity improvements implemented after the event are a good sign, OCR will be scrutinizing the company’s cybersecurity practices before the event. Did they have all the protections required by the Security Rule? Did they conduct adequate workforce training?
Reduce the chances that a ransomware attack will succeed by shoring up cybersecurity defenses with HIPAA compliance now, before hackers come for the valuable personal data in your care.