Harvard Pilgrim Health Care Plan Sued After Massive Data Breach Featured

Lawsuit alleges that Harvard Pilgrim, one of the largest healthcare insurers in the Northeast, along with its parent company Point32Health failed to adequately protect the data of 2.5 million customers.

A class action lawsuit was recently filed against healthcare insurance giant Harvard Pilgrim Health Care and its parent company, Point32Health, alleging that the insurer failed to adequately secure its customers’ personal information. As a consequence, hackers were able to conduct a massive data breach affecting 2.5 million customers.

According to the lawsuit, HPHC and Point32Health clients “have suffered (and will continue to suffer)” identity theft and other damages, and that HPHC and Point32Health breached an “implied covenant of good faith and fair dealing” and “were unjustly enriched” at the expense of their clients.

What Happened?

According to the notice published on HPHC’s website, On April 17, 2023, Harvard Pilgrim discovered a cybersecurity ransomware incident that impacted systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS).

An investigation revealed that sensitive and protected customer data was exfiltrated from their systems from March 28, 2023 until April 17, 2023. The information stolen includes –

  • name
  • physical address
  • phone numbers
  • dates of birth
  • health insurance account information
  • Social Security numbers
  • provider taxpayer identification numbers
  • clinical information including
    • medical history
    • diagnoses
    • treatment
    • dates of service
    • provider names

The above information is very sensitive and could expose affected individuals to phishing or social engineering attacks.

Who’s impacted by the breach?

Individuals impacted by the breach are current or former members of Harvard Pilgrim (including individual and family plans purchased directly from HPHC and Point32Health, state-based exchanges or plans selected through your employer) between March 28, 2012, and April 17, 2023, or if you are a provider currently contracted with Harvard Pilgrim or Point32Health.

You may also have been impacted if you are a current or former member of Health Plans Inc. between June 1, 2020, and April 17, 2023. Harvard Pilgrim is still investigating this incident and will provide updates if the investigation determines additional individuals may potentially be impacted.

HPHC and Point32Health to begin notifying customers by June 15, 2023

According to HPHC’s website, HPHC and Point32Health will begin the process of mailing written notifications to all potentially impacted individuals for whom they have up to date contact information. Both HPHC and Point32Health are relying on their website notice to inform those individuals for whom they do not have up to date contact information.

What should you do if you receive a Data Breach Letter?

Individuals who receive a data breach letter should take steps to protect themselves. Further, consider contacting a data breach attorney immediately. Customers and patients who received a data breach letter may be entitled to financial compensation beyond what HPHC and Point32Health are offering.

In the data breach letter, HPHC and Point32Health will very likely offer victims of the breach free credit monitoring and identity protection services. If so, victims should enroll in this service immediately. This will not impact your legal rights.

Understand your rights regarding the HPHC Point32Health data breach

Consumers should know that a limited amount of credit monitoring is not enough to protect them from the life-long burden of protecting their identity. At some time in the future, criminals may use this information to:

  • open new financial accounts in victims names,
  • take out loans using victims identities,
  • obtain medical services,
  • use health information to craft phishing and other hacking attacks based on a victims individual health needs,
  • obtain government benefits,
  • file fraudulent tax returns
  • obtain drivers licenses,
  • give false information to police during an arrest.

Case Status: Open – Not Accepting New Clients


Leave a Reply

Your email address will not be published. Required fields are marked *