Harvard Pilgrim Health Care Provides Notice of Data Security Incident

Harvard Pilgrim Health Care (“Harvard Pilgrim”) is providing notice of a data security incident that may affect the privacy of certain individuals’ protected health information and/or personal information.

On April 17, 2023, Harvard Pilgrim discovered a cybersecurity ransomware incident that impacted systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). We are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.

We take the privacy and security of the data entrusted to us seriously. We are continuing our active investigation and conducting extensive system reviews and analysis before we can resume our normal business operations. Unfortunately, the investigation identified signs that data was copied and taken from our Harvard Pilgrim systems from March 28, 2023, to April 17, 2023. We want to assure you that we are taking this incident extremely seriously, and we deeply regret any inconvenience this incident may cause.

We determined that the files at issue may contain the following types of personal information and/or protected health information: names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information (e.g., medical history, diagnoses, treatment, dates of service, and provider names). We are not aware of any misuse of personal information or protected health information as a result of this incident.

Harvard Pilgrim has established a dedicated call center for individuals to contact with questions or concerns and for potentially impacted individuals to enroll in complimentary credit monitoring and identity theft protection services. If you have any questions regarding this incident, please contact the dedicated assistance line at IDX, which can be reached at 888-220-5517 (toll free), Monday through Friday from 9:00 AM to 9:00 PM ET, excluding U.S. holidays. If members have any questions about other issues unrelated to this ransomware incident or are being denied care, please call the number on the back of your Harvard Pilgrim member ID card for assistance. If providers have questions, please contact the Provider Service Center by email at provider_callcenter@point32health.org.

Harvard Pilgrim continues to take steps to implement additional data security enhancements and safeguards to better protect against similar events in the future. We remain committed to safeguarding the privacy and security of information we collect in providing services to our members.

Frequently asked questions

Am I impacted by the incident?

You may have been impacted if you are a current or former member of Harvard Pilgrim (including individual and family plans purchased directly from us, state-based exchanges or plans selected through your employer) between March 28, 2012, and present, or if you are a provider currently contracted with Harvard Pilgrim.

You may also have been impacted if you are a current or former member of Health Plans Inc. between June 1, 2020, and present. Harvard Pilgrim is still investigating this incident and will provide updates if the investigation determines additional individuals may potentially be impacted.

What systems are still affected or offline? Questions about health plan coverage or other clinical questions related to care.

Harvard Pilgrim Health Care commercial plan members: Call the number on the back of your ID card. If you do not have your ID card available, please call 888-333-4742 (TTY: 711). Representatives are available Mondays, Tuesdays and Thursdays from 8 a.m. to 6 p.m.; Wednesdays from 10 a.m. to 6 p.m.; and Fridays from 8 a.m. to 5:30 p.m.

Harvard Pilgrim Health Care Medicare Advantage Stride^SM (HMO)/(HMO-POS) plan members: Call 888-609-0692 (TTY: 711). Representatives are available Monday through Friday from 8 a.m. to 8 p.m.

What are general steps I can take to help protect my personal information?

Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 877-322-8228. Consumers may also directly contact the three major credit reporting bureaus listed below to request a free copy of their credit report.

Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If consumers are the victim of identity theft, they are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should consumers wish to place a fraud alert, please contact any of the three major credit reporting bureaus listed below.

As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in a consumer’s name without consent. However, consumers should be aware that using a credit freeze to take control over who gets access to the personal and financial information in their credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application they make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, consumers cannot be charged to place or lift a credit freeze on their credit report. To request a credit freeze, individuals may need to provide some or all of the following information:

Full name (including middle initial as well as Jr., Sr., II, III, etc.);
Social Security number;
Date of birth;
Addresses for the prior two to five years;
Proof of current address, such as a current utility bill or telephone bill;
A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if they are a victim of identity theft.

Should consumers wish to place a credit freeze or fraud alert, please contact the three major credit reporting bureaus listed below:

Equifax	Experian	TransUnion
https://www.equifax.com/personal/credit-report-services/	https://www.experian.com/help/	https://www.transunion.com/credit-help
1-888-298-0045	1-888-397-3742	1-800-916-8800
Equifax Fraud Alert, P.O. Box 105069 Atlanta, GA 30348-5069	Experian Fraud Alert, P.O. Box 9554, Allen, TX 75013	TransUnion Fraud Alert, P.O. Box 2000, Chester, PA 19016
Equifax Credit Freeze, P.O. Box 105788 Atlanta, GA 30348-5788	Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013	TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094

How are we notifying impacted members?

While these investigations often take time to fully complete and sometimes only reveal limited additional information, the investigation is progressing and by June 15, 2023, we anticipate that we will begin the process of mailing written notifications to all potentially impacted individuals, such as current and former health plan subscribers and dependents including former members of employer groups no longer active with Harvard Pilgrim, dating back to March 28, 2012, for whom we have up to date contact information. Those individuals for whom we do not have up to date contact information have been notified through the previously mentioned notice on our public website consistent with the substitute notice requirement set forth in the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.

For additional frequently asked questions, please read the Point32Health system update.