Harvard Pilgrim Health Care and its parent company, Point32Health, faced a large data breach after hackers accessed more than 2.5 million individuals' protected health information in April. Now, they face several class action lawsuits.
What happened
Back in April, Point32Health announced a ransomware attack that took place between March 28th, 2023, and April 17th, 2023. The event affected Harvard Pilgrim Health Care and Medicare Advantage Stride Plans and caused a temporary delay in sending or receiving files or payments. Some processes and functions continue to face delays.
At the time, some patients were left confused and frustrated after being unable to receive the care they needed. Ultimately, at least 2.5 million individuals were affected and had their protected health information leaked.
Now, at least 4 civil suits have been filed in the U.S. District Court for the District of Massachusetts. The lawsuits largely allege that a lack of proper cybersecurity measures caused the incident. The plaintiffs argue that the negligence has left them vulnerable to identity theft and fraud and violates the HIPAA Security Rule.
Read more: Massachusetts health organization faces ransomware attack
Why it matters
According to The Harvard Crimson, one of the plaintiffs alleges that Point32Health and Harvard Pilgrim Health Care engaged in a "willful failure" to uphold responsible cybersecurity measures. Another plaintiff stated they continue to face the after-effects of identity theft.
The situation is serious, as the HIPAA Security Rule requires physicians to correctly store protected health information using appropriate physical and technical safeguards. While ransomware continues to evolve and is becoming harder to safeguard against, it's still necessary for healthcare companies to be diligent in preventing and resolving ransomware attacks.
Related: #StopRansomware Guide released by the U.S. Joint Ransomware Task Force
What was said
The lawsuit filed by attorneys for Valeria Salerno Gonzalez alleges Harvard Pilgrim Health Care "intentionally, willfully, recklessly, or negligently" maintained customers' sensitive data, allowing hackers to gain access.
In a statement released to the Harvard Crimson, Point32Health spokesperson Kathleen Makela said the organization has made "significant progress in bringing our systems back online and processing various business transactions."
Makela also said they expect more "core functions and tools to come back online" in the coming weeks.
The bottom line
While Point32Health and Harvard Pilgrim Health Care work to get all systems back online, victims of the ransomware attack may continue to feel the effects of having their data leaked. One individual already mentioned receiving an uptick in scam phone calls.
It may take months to see how the allegations play out. Still, with lawsuits mounting, Point32Health and Harvard Pilgrim Health Care will likely reevaluate their cybersecurity mechanism to see what, if anything, could have been done to prevent this massive event.
Related: HIPAA Compliant Email: The Definitive Guide.
Abby Grifno
