Point32Health, Harvard Pilgrim Facing 4 Data Breach LawsuitsClass Action Suits Hit While Insurer Still Recovering From April Ransomware Attack
A ransomware attack in April that compromised the personal information of more than 2.5 million individuals has triggered at least four proposed federal class action lawsuits against Massachusetts health insurer Harvard Pilgrim Health and its parent company, Point32Health.
See Also: 2022 Unit 42 Incident Response Report
The lawsuits, filed over the last 10 days in the U.S. District Court for the District of Massachusetts, each make similar claims against the companies, including negligence, breach of implied contract, breach of fiduciary duty and unjust enrichment for failing to protect personal information against cyberattacks.
Plaintiffs filed the first of the four lawsuits on May 30. The two most recent lawsuits came on Wednesday.
Point32Health, Massachusetts' second-largest health insurer and parent company of nearly a dozen firms, discovered the ransomware attack on April 17. The incident affected Harvard Pilgrim Health Care's commercial and New Hampshire Medicare Advantage Stride plans (see: New England Health Plan Still Recovering From Attack).
Point32Health on Tuesday posted an update for health plan members indicating the company was still experiencing impacts to its IT system involving its Harvard Pilgrim Health Care commercial and Medicare Advantage Stride health plans.
A Point32Health spokeswoman told Information Security Media Group the company has been making "significant progress" in bringing its systems back online and processing business transactions.
That includes distributing provider payments for claims processed prior to the incident, restoring access for servicing teams and providers for member eligibility, confirming security protocols and reactivated information sharing with many trading partners, delivering broker commissions, and issuing temporary member ID cards, as needed.
"Over the next few weeks, we expect more core functions and tools to come back online," she said. That includes enrolling new members, claims processing for self-insured individuals, and expanded functionality within member, provider, employer and broker servicing teams.
On its website, Point32Health says it is still waiving prior authorization requirements for Harvard Pilgrim health plan members to use nonpharmacy medical and behavioral health benefits.
The investigation into the incident "identified signs that data was copied and taken from our Harvard Pilgrim systems from March 28 to April 17," Harvard Pilgrim said in a breach notice posted on its website.
Affected information includes names, addresses, phone numbers, birthdates, health insurance account information, Social Security numbers, provider taxpayer identification numbers and clinical information, the company said.
Harvard Pilgrim is offering affected individuals two years of credit monitoring and identity theft protection services.
Nonetheless, plaintiffs and class members affected by the incident face the risk of identity theft and fraud crimes, the lawsuits allege.
"Defendants' failure to timely detect and report the data breach made their customers vulnerable to identity theft without any warnings to monitor their financial accounts or credit reports to prevent unauthorized use of their sensitive information," alleges the lawsuit complaint filed by plaintiff Tracy Wilson, a Harvard Pilgrim health plan member.
Each proposed class action lawsuit seeks similar relief, including punitive damages and an injunctive order for Harvard Pilgrim and Point32Health to protect sensitive data against future incidents.
In its last public update about the incident, Point32Health said it was already taking "several steps to further enhance the security of our organization and the data entrusted to us." That includes reviewing and enhancing user access protocols, bolstering vulnerability scanning and identifying prioritized IT security improvements, implementing a new endpoint detection and response solution, and conducting password resets for administrative accounts.
Point32Health did not immediately respond to ISMG's requests for comment on the lawsuits and for additional details about the ransomware incident.