Harvard Pilgrim Health Care and its parent company, Point32Health, are facing several class-action lawsuits after hackers gained access to the protected health information (PHI) of more than 2.5 million people in an April 2023 ransomware attack .
Point32Health is the second largest insurer in Massachusetts serving more than 2.4 million customers. Point32Health was formed following the merger of Harvard Pilgrim Health Care and Tufts Health Plan in 2021. According to Point32Health, hackers gained access to Harvard Pilgrims systems on March 28, 2023 and maintained access to those systems until April 17, 2023, when the intrusion was detected and blocked. The attack was detected when ransomware was used to encrypt and prevent access to files. The forensic investigation confirmed that the affected systems contained PHI such as names, addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider tax identification numbers, and clinical information, and such information they were in files exfiltrated from his systems. Credit monitoring and identity theft protection services were offered free of charge to those affected for 2 years. There has been progress in recovering from the attack over the past 7 weeks; however, the IT systems supporting the commercial Harvard Pilgrim Health Care and Medicare Advantage Stride health plans have yet to be brought back online, and Point32Health expects the recovery process to take a few more weeks.
At least 4 lawsuits have now been filed in the US District Court for the District of Massachusetts in response to the attack alleging that the Massachusetts health insurer failed to implement reasonable cybersecurity measures to ensure the confidentiality of information of members. One of the causes – Salerno Gonzalez v Harvard Pilgrim Health Care Inc. et al – was filed on behalf of Harvard Pilgrim Health Care Fellow, Valeria Salerno Gonzales. The 4-count lawsuit alleges that defendants intentionally, willfully, recklessly or negligently withheld sensitive customer data, and as a result of the defendants’ grossly negligent actions, hackers were able to gain access and steal the data members plan sensitive. The lawsuit alleges that the plaintiff and class members have been placed at imminent risk of harm and face an ongoing risk of identity theft and fraud. The lawsuit alleges negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment.
Another cause Tracie Wilson v Harvard Pilgrim Health Care, Inc. and Point32Health, Inc. it was filed on behalf of Harvard Pilgrim Health Care Plan member Tracie Wilson. The 4-count lawsuit makes similar claims and alleges HIPAA security rule violations. The lawsuit also disputes the time taken by defendants to detect and report the violation. The delay in detection and notification meant that the actor and class members were unaware that their sensitive data had been stolen and that they needed to take action to protect themselves from identity theft and fraud. The plaintiff says she experienced an increase in spam messages and phone calls following the data breach and she has and will continue to spend significant time and effort monitoring her accounts to protect against identity theft. She also claims to have experienced anxiety, sleep disruption, stress, fear, and frustration as a result of the data breach.
Get it for FREE
HIPAA Compliance Checklist
Delivered via email, so please make sure you enter your email address correctly.
Your privacy respected
The lawsuits seek class action status, a jury trial, damages, declaratory and other equitable and injunctive relief, and require an order from the courts to prevent defendants from engaging in further deceptive practices and to require them to implement reasonable security measures and adhere to FTC guidelines.
#Ransomware #attack #triggers #multiple #lawsuits #Harvard #Pilgrim #Healthcare #Point32Health
Image Source : www.hipaajournal.com