Sam Drysdale and Michael P. Norton|SHNS
State insurance regulators have opened an examination into a cyberattack on one of the state's largest health insurance providers.
The Division of Insurance is monitoring the Point32Health data breach, which may have compromised personal data including addresses, medical history and Social Security numbers of current and former Harvard Pilgrim Health Care policyholders, according to Executive Office of Housing and Economic Development spokesperson Margaret Quackenbush.
The insurance giant, which is the parent company of Harvard Pilgrim, informed members that an investigation into a ransomware attack it identified last month has now determined that patient information might have been stolen.
In addition to their examination into how the data breach could impact the company, health care providers and members who use the insurance, DOI has been in contact with Point32Health to provide consumers and providers with resources to address negative impacts on credit or other financial consequences of the breach, Quackenbush said. State regulators are required to monitor the solvency and market conduct of insurers, and officials want to ensure that the situation is being properly addressed because a data breach could affect the financial condition of an insurer, and consequently consumers and providers.
Quackenbush did not provide a copy of the notice DOI sent to Point32Health regarding the examination, suggesting a public records request was needed first.
According to the state Office of Consumer Affairs and Business Regulation, a business must notify that office, the attorney general's office and affected consumers "within a reasonable amount of time after either the discovery of a breach or knowledge that personal information was obtained."
However, Quackenbush said Point32Health had not yet sent OCABR written notice of the breach. The company first identified the cyberattack on April 17 and announced on Tuesday that patient information might have been "copied and taken" from Harvard Pilgrim systems between March 28 and April 17.
According to the state, the notification must include the number of Massachusetts residents affected as of the time of notification, information regarding whether law enforcement is engaged investigating the incident, and a "detailed description of the nature and circumstances of the breach of security or unauthorized acquisition or use of personal information," among other things.
Through Point32Health has not sent official notice of the incident, the company has been in touch with OCABR to inform the office that they are conducting an internal investigation into what data was breached and whether it contained personal health information, Quackenbush said.
When asked to share any formal notification to state authorities about the breach, Harvard Pilgrim spokesperson Kathleen Makela said in an email Thursday that the insurer "conveyed to them the same information that is available on our website."
The insurer also declined to offer an estimate of the number of people potentially affected by its breach. Makela said the insurer was "notifying individuals whose information may have been involved in the incident" and notifying them "through their employers, website, and through media coverage."
"In the coming weeks we will also start to mail notices for those individuals for whom we have valid mailing addresses," Makela wrote to the News Service.
Point32Health informed OCABR that they hired a third party to handle consumer inquiries about the breach, according to Quackenbush, and are offering credit monitoring services through IDX. The insurance giant is also working with an outside firm on security enhancements.
[Alison Kuznitz contributed reporting.]