Company officials say the second-largest health insurance company in Massachusetts was the victim of a ransomware attack that included sensitive personal information as well as the health information of its members. Current and former members may have been compromised.
Score32Health said in a statement on its website Tuesday that a “cybersecurity ransomware incident” affecting its Harvard Pilgrim Healthcare program was discovered on April 17.
An ongoing investigation indicates that between March 28 and April 17, address, phone number, date of birth, Social Security number, medical history, treatment, date of service, service provider names and other member information may have been compromised.
The nonprofit said it was not aware of any misuse of information. It did not say how many people might be affected.
“We are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation,” the statement said, adding that Harvard Pilgrim is taking steps to enhance your network security.
Company spokeswoman Kathleen Makela said Wednesday via email that the company will notify those with information that may be relevant.
The company has also contacted the FBI. An FBI spokesman said the agency had no comment.
According to the company’s website, Harvard Pilgrim Health Care provides services to more than 1.1 million members in Massachusetts, New Hampshire, Maine and Connecticut.
Ransomware attacks involve hackers locking down a computer network and asking for money to unlock it. Point32Health did not say whether it had paid the ransom.
Not a Modern Healthcare subscriber? Sign up today.
Law enforcement agencies, school systems, energy infrastructure and health systems have been victims of such attacks in recent years.
The Harvard Pilgrim breach affected systems used for service members, brokers, and providers, and some functions remained down.
According to Makela, some of those systems are expected to be restored in the next few weeks.
“We are currently going through the internal IT and enterprise validation process. Once this is complete, along with our thorough security screening, some of our processes will be available in phases,” she wrote.
The insurer said it has been able to continue to ensure its members have access to care.
Other Point32Health companies such as Tufts Health Plan and CarePartners of Connecticut are not affected.
