Harvard Pilgrim Health Care, a leading healthcare provider located at 1 Wellness Way, Canton, MA, announced a significant data breach affecting more than 2.5 million individuals. The breach was discovered on April 17, 2023, and occurred due to an external system hacking incident which began on March 28, 2023.
Chris Walsh, Vice President of Privacy and Fraud Prevention at Harvard Pilgrim, stated that the breach was the result of a cybersecurity ransomware incident that impacted systems used to service members, accounts, brokers, and providers. Upon detecting the unauthorized access, Harvard Pilgrim took its systems offline proactively to contain the threat. The organization notified law enforcement and regulators and is working with third-party cybersecurity experts to conduct a thorough investigation and remedy the situation.
The data breach investigation revealed signs that data was copied and taken from Harvard Pilgrim systems during the period of March 28 to April 17, 2023. The compromised files may contain personal information and protected health information of Harvard Pilgrim members, including names, physical addresses, phone numbers, dates of birth, health insurance account information, social security numbers, and clinical information, such as medical history, diagnoses, treatment details, dates of service, and provider names.
In response to the data breach, Harvard Pilgrim is actively investigating the incident, conducting extensive system reviews, and working on implementing additional safeguards and training for its employees. The organization is also providing access to credit monitoring services through IDX for two years, free of charge, to those individuals whose personal information was potentially affected by this incident.
Additionally, Harvard Pilgrim is offering guidance to impacted individuals on how to protect themselves against identity theft and fraud. This includes information on placing fraud alerts and security freezes on credit files, contacting national consumer reporting agencies, obtaining free credit reports, and contacting the Federal Trade Commission, state Attorney Generals, and law enforcement to report attempted or actual identity theft and fraud.
Harvard Pilgrim is communicating this incident to relevant state and federal regulators, as well as the three major credit reporting agencies, Equifax, Experian, and TransUnion. The U.S. Department of Health and Human Services and prominent media outlets have also been notified, pursuant to the Health Insurance Portability and Accountability Act (HIPAA).
Individuals who believe they may have been affected by this data breach or have additional questions are encouraged to contact IDX at (888) 220-5517 or visit Harvard Pilgrim Health Care Response Page for assistance. Representatives are available from 9:00 am to 9:00 pm Eastern Time, Monday through Friday (excluding U.S. holidays).