The parent organization of Harvard Pilgrim Health Care (HPHC) and other insurance plans is undergoing a ransomware attack, causing disruptions in service and uncertainty for patients.
What happened:
On April 17th, Point32Health announced a ransomware attack had occurred on multiple plans they are the parent of. The situation is ongoing, and impacts Harvard Pilgrim Health Care and Medicare Advantage Stride plans. As the second largest health insurer in the state, it leaves many unsure of the safety of their data.
In an attempt to keep health information protected, the organization is significantly limiting what data is allowed to go through their digital systems.
For Harvard Pilgrim Health Care, no files are allowed in or out, and no electronic payments are being accepted. The website has also been taken offline.
Prior authorizations for many health treatments are being waived, except for treatments such as CAR-T cell therapy, solid organic transplant surgeries, and gender-affirming surgical procedures. Prior authorization also remains a requirement for pharmacy and medical benefit drugs, which were systems unaffected by the ransomware attack.
Why it matters:
The effects of the ransomware attack are being felt by some patients who are now struggling to receive their insurance benefits. Boston news site WCVB reported some patients had their health insurance rejected when attempting to receive care. One individual tried to use their insurance at a CVS MinuteClinic, but had to "leave the clinic without care."
When patients are unable to receive the care they need or are told to pay out of pocket for treatment that should be covered, it increases the risk of serious illness, or worse in extreme scenarios.
What was said:
In their statement, the company explained their decision to take Harvard Pilgrim Health Care offline was "proactive," and they are now working with "third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation."
While Point32Health detected an unauthorized party, they currently believe that no data has been compromised.
Harvard Pilgrim Health Care is recommending individuals needing assistance "call the number on the back of their ID Card" to work with a representative in order to access insurance benefits.
Going deeper:
Ransomware attacks like the one faced by Point32Health are becoming increasingly common. Healthcare organizations tend to be vulnerable to attacks because they are more likely to pay the attackers than slow down their processes.
As 2023 marches on, it's estimated that ransomware attacks will continue evolving and increasing, with more attackers eying healthcare organizations.
Read more: Ransomware is targeting vulnerable, smaller clinics
The bottom line:
Point32Health has yet to release information on what may have led to the ransomware attack or if they paid the attackers. Regardless, they face significant impacts on services that may impact patients even after the service has been restored. Healthcare companies must remain diligent in discovering how these ransomware attacks occur and follow proper cybersecurity measures to prevent future events from taking place.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
