Harvard Pilgrim Health Care and its parent company, Point32Health, are facing multiple class action lawsuits after hackers gained access to the protected health information (PHI) of more than 2.5 million individuals in an April 2023 ransomware attack.
Point32Health is the second largest insurer in Massachusetts and serves more than 2.4 million customers. Point32Health was formed following the merger of Harvard Pilgrim Health Care and Tufts Health Plan in 2021. According to Point32Health, hackers gained access to Harvard Pilgrim’s systems on March 28, 2023, and maintained access to those systems until April 17, 2023, when the intrusion was detected and blocked. The attack was detected when ransomware was used to encrypt and prevent access to files. The forensic investigation confirmed the affected systems contained PHI such as names, addresses, phone numbers, birthdates, health insurance account information, Social Security numbers, provider taxpayer ID numbers, and clinical information and that information was in the files exfiltrated from its systems. Credit monitoring and identity theft protection services have been offered to affected individuals at no cost for 2 years. Progress has been made in recovering from the attack over the past 7 weeks; however, the IT systems that support the Harvard Pilgrim Health Care commercial and Medicare Advantage Stride health plans have yet to be brought back online and Point32Health expects the recovery process to take a few more weeks.
At least 4 lawsuits have now been filed in the U.S. District Court for the District of Massachusetts in response to the attack that claim the Massachusetts health insurer failed to implement reasonable cybersecurity measures to ensure the confidentiality of members’ information. One of the lawsuits – Salerno Gonzalez v. Harvard Pilgrim Health Care Inc. et al – was filed on behalf of Harvard Pilgrim Health Care member, Valeria Salerno Gonzales. The 4-count lawsuit alleges the defendants “intentionally, willfully, recklessly, or negligently” maintained the sensitive data of customers and, as a result of the grossly negligent actions of the defendants, hackers were able to gain access to and steal the sensitive data of plan members. The lawsuit alleges the plaintiff and class members have been placed at imminent risk of harm and face an ongoing risk of identity theft and fraud. The lawsuit alleges negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment.
Another lawsuit – Tracie Wilson v. Harvard Pilgrim Health Care, Inc. and Point32Health, Inc. was filed on behalf of Harvard Pilgrim Health Care plan member, Tracie Wilson. The 4-count lawsuit makes similar claims and alleges violations of the HIPAA Security Rule. The lawsuit also takes issue with the time it took the defendants to detect and report the breach. The delay in detection and notification meant the plaintiff and class members were unaware that their sensitive data had been stolen and that they needed to take action to protect against identity theft and fraud. The plaintiff claims to have had an increase in spam texts and phone calls following the data breach and has and will continue to spend considerable time and effort monitoring her accounts to protect against identity theft. She also claims she has experienced anxiety, sleep disruption, stress, fear, and frustration due to the data breach.
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuits seek class action status, a jury trial, damages, declaratory and other equitable relief, and injunctive relief, and call for an order from the courts to prevent the defendants from engaging in further deceptive practices and to require them to implement reasonable security measures and adhere to FTC guidelines.