Massachusetts’ second-largest health insurer has been the victim of a ransomware attack in which sensitive personal information as well as health information of current and past members may have been compromised, company officials said.
Point32Health said in a statement posted to its website earlier this week that a “cybersecurity ransomware incident” affecting its Harvard Pilgrim Health Care program was detected on April 17.
An ongoing investigation has indicated that from March 28 to April 17, members’ addresses, phone numbers, dates of birth, social security numbers, medical histories, treatments, dates of service, names of providers and other information may have been disclosed. compromise.
The non-profit company said it was not aware of any misuse of the information. He did not specify how many people might be affected.
“We are working with third-party cybersecurity experts to thoroughly investigate this incident and remediate the situation,” the statement said, adding that Harvard Pilgrim is taking steps to strengthen its cybersecurity.
Company spokeswoman Kathleen Makela said via email Wednesday that the company would notify people whose information may have been implicated.
The company also contacted the FBI. An FBI spokesperson said the agency had no comment.
Harvard Pilgrim Health Care provides services to more than 1.1 million members in Massachusetts, New Hampshire, Maine and Connecticut, according to the company’s website.
Ransomware attacks involve hackers locking down a computer network and demanding money to unlock it. Point32Health did not say whether it paid a ransom.
Law enforcement, school systems, energy infrastructure, and healthcare systems have been victims of such attacks in recent years.
The Harvard Pilgrim breach affected systems used by service members, brokers and vendors, and some functions remained inactive.
A number of those systems are expected to be restored in the coming weeks, according to Makela.
“We are currently going through internal IT and business validations. Once this process is complete, alongside our extensive security checks, some of our processes will be available on a phased basis,” she wrote.
The insurer said it was able to continue to guarantee access to care for its members.
Other Point32Health companies such as Tufts Health Plan and CarePartners of Connecticut were not affected.
