Breach

Harvard Pilgrim Health Care (HPHC) has disclosed that a ransomware attack it suffered in April 2023 impacted 2,550,922 people, with the threat actors also stealing their sensitive data from compromised systems.

The Massachusetts-based non-profit health services provider shared this information—which corresponds to roughly all its members—to the U.S. Department of Health and Human Services breach portal.

Last week, the organization published a notice informing that ransomware actors maintained access to its systems between March 28 and April 17, 2023, when the breach was discovered.

  • A subsequent investigation conducted with the help of third-party cybersecurity experts revealed that the cybercriminals exfiltrated sensitive data from HPHC's network.

"Unfortunately, the investigation identified signs that data was copied and taken from our Harvard Pilgrim systems from March 28, 2023, to April 17, 2023," reads the notice.

"We are continuing our active investigation and conducting extensive system reviews and analysis before we can resume our normal business operations."

  • As a result of the attack, coverage under Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride systems is impacted.

The stolen files include the following types of sensitive information:

  • Full names
  • Physical addresses
  • Phone numbers
  • Dates of birth
  • Health insurance account information
  • Social Security numbers
  • Provider taxpayer identification numbers
  • Clinical information, including medical history, diagnoses, treatment, dates of service, and provider names

The organization has clarified that the incident impacts current and former members of Harvard Pilgrim, who had a registration date starting on March 28, 2012.

  • The above information is very sensitive and could expose affected individuals to phishing or social engineering attacks. HPHC states that it has not detected any cases of stolen data misuse. 
  • HPHC also provides credit monitoring and identity theft protection services to safeguard individuals impacted by this security incident.

It's important to note that ransomware gangs often exploit stolen data to pressure victims into complying with ransom demands. If victims refuse to pay, attackers may also sell the data to other cybercriminals or release it publicly.

No ransomware group has claimed responsibility for the attack on HPHC, according to the information available at this time.

For current or former members of HPHC, exercising caution when receiving unsolicited messages and maintaining vigilance over an extended period is strongly advised.

Related Articles:

MCNA Dental data breach impacts 8.9 million people after ransomware attack

Ransomware gang steals data of 5.8 million PharMerica patients

BlackByte ransomware claims City of Augusta cyberattack

Arms maker Rheinmetall confirms BlackBasta ransomware attack

Toyota finds more misconfigured servers leaking customer info