Harvard Pilgrim Health Care Ransomware Attack Affected at Least 2,967,000 Individuals
Harvard Pilgrim Health Care has issued an updated notification to the Maine Attorney General about its April 2023 ransomware attack, increasing the total number of affected individuals by 106,601 to 2,967,396 individuals. In the notification, Harvard Pilgrim Health Care said the investigation into the data breach is still ongoing, so that may not be the final total.
Harvard Pilgrim Health Care said the investigation uncovered evidence that a significant amount of data was copied from its systems between March 28, 2023, and April 17, 2023, which included personal and protected health information. The data stolen in the attack is known to have included names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, and clinical information such as medical histories, diagnoses, treatment information, dates of service, and provider names. A limited number of the affected individuals also had their financial account information stolen.
Harvard Pilgrim Health Care has been issuing notifications on a rolling basis to individuals since June 2023. The additional 106,601 individuals, which include 873 Maine residents, were confirmed as having been affected on August 15, 2024, and were sent notification letters between August 15, 2024, and October 3, 2024.
March 29, 2024: Harvard Pilgrim Health Care Increases Ransomware Victim Count to 2.86 Million
In February, Harvard Pilgrim Health Care revised the total number of individuals affected by an April 2023 ransomware attack, increasing the total by more than 81,000 to 2,632,275 individuals. That total was increased for the fourth time on March 27, 2024, as the ongoing investigation identified more data that was compromised in the attack. Now, at least 2,860,795 individuals are known to have been affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The ransomware attack was discovered on April 17, 2023, with the forensic investigation determining there had been unauthorized access to its network between March 28, 2023, and April 17, 2023. The additional 228,520 affected individuals have now been notified by mail and the HIPAA notification letters state the exact types of data that were likely compromised in the attack. Harvard Pilgrim Health Care said it is offering complimentary credit monitoring and identity protection services through IDX.
It is not unusual for data breach investigations to uncover additional compromised data. Further data identified as having been accessed in the attack included the information of patients of Brigham and Women’s Physician Organization (BWPO). BWPO is not part of Harvard Pilgrim, but an employee of Harvard Pilgrim Health Care Institute also worked at BWPO part-time. The employee had backed up the contents of their laptop to Harvard Pilgrim’s servers, and the backup file included BWPO data. BWPO learned of the data exposure in January 2024.
BWPO said the backup file included data from January 1, 2017, to May 1, 2019, including names, addresses, phone numbers, dates of birth, medical record numbers, health insurance numbers, and limited clinical information, such as lab results, procedures, medications, and diagnoses related to care provided at BWPO. A BWPO spokesperson said appropriate steps have been taken to address the breach and prevent similar incidents from occurring in the future.
