Point32Health, the parent company of Harvard Pilgrim Health Care, has confirmed that its commercial and Medicare Advantage Stride plans were hit by a ransomware attack. While no evidence protected health information was compromised, the attack has resulted in some service disruptions, including waiving prior authorizations for most medical and behavioral health-covered services. Point32Health has reassured its members that it takes the privacy and security of the data entrusted to it seriously, and will notify individuals if their sensitive information is involved in this incident.
On April 17, 2023, Point32Health, the parent company of Harvard Pilgrim Health Care (HPHC), the second-largest health insurer in Massachusetts, detected the presence of a malicious actor within its network. The company confirmed that its Harvard Pilgrim Health Care commercial and Medicare Advantage Stride plans were hit by a ransomware attack. As a result of the attack, Point32Health has announced that it will waive prior authorizations for most medical and behavioral health-covered services and cannot accept claim submissions for Harvard Pilgrim commercial members at this time.
While Point32Health has indicated that it does not yet have evidence that protected health information (PHI) was compromised, some impacts of the attack that affect providers and patients have been reported:
- No files are going into or out of Harvard Pilgrim Health Care systems, including EDI, HRA/HSA, and data warehouse extracts, and no electronic payments are being taken.
- Prior authorizations for CAR-T cell therapy, gender-affirming surgical procedures, and solid organ transplant surgeries are not waived – all others are waived until further notice.
- Prior authorizations for pharmacy and medical benefit drugs are still required because those systems continue to function normally.
- Member enrollments being processed when systems went down could be denied at the pharmacy.
Point32Health is currently working with Optum to load newly enrolled members into OptumRx. If members are having difficulties filling a prescription, they are advised to call the number on the back of their ID card, and a representative will work to ensure that their medication can be filled.
Some disruptions to care have been reported, with providers and pharmacies concerned about a member’s covered services and medications. A viewer reportedly left a CVS MinuteClinic without receiving care after being told that their health insurance was rejected and they would need to pay out of pocket.
HPHC websites remain offline and are pointing to the Point32Health System Update statement and FAQ.
The cyberattack on HPHC highlights the increasing threat of ransomware attacks on the healthcare industry. A recent study published in JAMA found that half of the ransomware attacks from 2016-2021 disrupted healthcare delivery. While the disclosure of PHI is always a concern for HIPAA-required organizations, disruptions to care can result in patient injury and even death.
While provider organizations are often the primary targets for cyberattacks in the healthcare sector, insurers and other sources of high-value healthcare data are also attacked. The French health insurance company Mutuelle Nationale des Hospitaliers experienced a RansomExx ransomware attack that disrupted the company’s healthcare operations in 2021. Last month, the DC Health Link insurance marketplace experienced a security breach that compromised the personal data of numerous House of Representative members, spouses, dependents, and employees in both parties.
Point32Health has reassured its members that it takes the privacy and security of the data entrusted to it seriously. If, during its investigation, Point32Health determines that any individuals’ sensitive information is involved in this incident, it will notify them according to applicable law.
