Patient information may have been stolen during a ransomware incident that hit Harvard Pilgrim Health Care earlier this year, the health care company said this week. 

Point32Health, which serves as the parent company for Harvard Pilgrim, said it learned about the incident on April 17 and took systems offline while working to identify the cybersecurity problem. 

Just over a month later, Harvard Pilgrim said an investigation into the breach showed signs that data was copied and taken from Harvard Pilgrim systems between March 28 and April 17.

“We determined that the files at issue may contain the following types of personal information and/or protected health information: names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information,” the company said.

Harvard Pilgrim said the breach could impact current or former subscribers and dependents, as well as contracted providers. 

Speaking this week, Dr. Bryan Harnsberger said the situation since Harvard Pilgrim’s beach has been “the wild west.”

“We are getting these press releases without any serious interpretation,” said Harnsberger, the CEO of Wellesley Counseling & Wellness. 

Harnsberger is a licensed clinical psychologist. He said his practice serves a substantial number of Harvard Pilgrim subscribers. 

“Privacy and safety are the two biggest concerns,” he said on Tuesday. “So, this is incredibly disappointing to hear that one of the larger insurance companies is possibly compromised.”

A notice of the data breach appeared on Harvard Pilgrim’s website along with a “Thank you for your patience” message as of Tuesday night. 

In a statement, the company said in part, “Harvard Pilgrim is taking steps to implement additional data security enhancements and safeguards to better protect against similar events in the future.”

Kevin Powers, who serves as the director of Boston College’s graduate cyber security programs, said companies like Harvard Pilgrim should be prepared for situations like this. 

“It’s not a matter of if, it’s a matter of when,” he said.

As patients and providers now wait to see if their personal information was taken, Harnsberger shared his thoughts.

“Insurance is supposed to make you feel safe,” he said. “When things like this happen, you don’t get any assurance from insurance.” 

“[It’s] stressful to say the least, not being able to guarantee that clients are safe in a practice where we put such emphasis on creating a safe and secure place,” Harnsberger continued.

While Harvard Pilgrim said it is not aware of any misuse of personal information or protected health information as a result of this incident, the company said it has started reaching out to people who have potentially been impacted and offering services such as credit monitoring and identity theft protection.

In its statement, Point32 also said law enforcement has been contacted and cybersecurity experts were still reviewing what happened.

“Point32Health has communicated to our provider partners that they should continue providing care to HPHC members during this ongoing incident and services will be covered,” Point32 said.

Both Harvard Pilgrim and Point32 said they are working to get Harvard Pilgrim systems back running.

See Point32Health’s full statement here. And see the Harvard Pilgrim notice of data security incident with additional information for individuals worried that they have been impacted here.

(Copyright (c) 2023 Sunbeam Television. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed.)

Join our Newsletter for the latest news right to your inbox