2,967,000 Individuals Impacted by Ransomware Attack on Harvard Pilgrim Health Care

by

Harvard Pilgrim Health Care sent an updated report to the Maine Attorney General regarding the number of affected individuals by its April 2023 ransomware attack. There were 106,601 more individuals affected, bringing the total to 2,967,396. The investigation into the breach is still in progress, and the number of impacted individuals may increase further.

The data breach occurred from March 28, 2023 to April 17, 2023, during which hackers accessed Harvard Pilgrim’s systems. Investigators found that the attackers copied a large volume of sensitive data, including personal data and protected health information (PHI). The compromised data included names, phone numbers, physical addresses, birth dates, medical insurance account details, Social Security numbers, and clinical data, for instance, medical backgrounds, diagnoses, treatments, provider names, and dates of service. The financial account data of some individuals were also stolen.

Breach notifications are being sent to impacted persons in stages beginning June 2023. The latest batch of notifications, including the added 106,601 persons, was sent on August 15, 2024. These people, 873 of whom are residents of Maine, got notification letters from August 15, 2024 to October 3, 2024.

The March 2024 update marked the fourth time the number of impacted individuals had increased since the ransomware attack in April 2023. In February 2024, the organization added over 81,000 individuals to the victim count, raising the total to 2,632,275. In March 27, 2024, the victim count further increased to 2,860,795 individuals.

Harvard Pilgrim first detected the ransomware attack on April 17, 2023. A forensic investigation confirmed that unauthorized access to its network occurred over three weeks from March 28, 2023, to April 17, 2023. The 228,520 compromised individuals identified during the investigation received breach notifications by mail. As per HIPAA, each notification details the specific types of personal data that were likely compromised in the breach. Harvard Pilgrim offered affected individuals free credit monitoring and identity protection services by IDX. These services are intended to help mitigate the potential risk of identity theft and financial fraud for those whose personal information was compromised.

As the investigation into the data breach continued, it was discovered that the personal data of patients from Brigham and Women’s Physician Organization (BWPO) was also exposed. Although BWPO is not directly associated with Harvard Pilgrim, a Harvard Pilgrim Health Care Institute employee was also employed part-time by BWPO. The employee had copied to Harvard Pilgrim’s servers the data from his/her work laptop, which included BWPO patient data.

BWPO was made aware of this exposure in January 2024. The backup file contained patient information collected between January 1, 2017, and May 1, 2019. The compromised information included names, addresses, dates of birth, phone numbers, medical record numbers, medical insurance numbers, and some clinical data such as laboratory results, procedures, prescription drugs, and diagnoses associated with care provided at BWPO. In response to the breach, BWPO adopted the appropriate measures to address the data exposure and prevent the same incidents from happening again in the future.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone