Harvard Pilgrim Health Care, a Canton, Massachusetts-based nonprofit health services provider, has confirmed that it was the victim of a ransomware attack in April 2023. The threat actor behind the attack stole sensitive data from its systems, including the personal and HIPAA-protected information of 2,550,922 individuals.
The forensic investigation confirmed that the hackers first gained access to its systems on March 28, 2023, and had access to those systems until the intrusion was detected and blocked on April 17, 2023. It is unclear if ransomware was actually deployed in the attack or if the ransom was paid.
No ransomware gang has claimed responsibility for the attack and the stolen data does not appear to have been publicly released, which could indicate a ransom was negotiated with the group. Ransomware gangs tend to steal data to pressure victims into paying the ransom and then threaten to publicly release the stolen data if payment is not made. The decision may instead have been taken to sell the stolen data. In such cases, ransomware gangs may not publish the stolen data.
Harvard Pilgrim Health Care has completed its review of the affected files and has confirmed that they contain full names, addresses, phone numbers, dates of birth, health insurance information, taxpayer ID numbers, Social Security numbers, and clinical information, including medical histories, diagnoses, treatment information dates of service, and provider names. The incident impacted systems used to support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans and the affected data spans from March 28, 2012, to the date of the attack.
Harvard Pilgrim Health Care said it has made several data security enhancements in response to the incident to protect against further attacks and has detected no misuse of the affected data to date. Notification letters have been mailed to affected individuals, who have been offered complimentary credit monitoring and identity theft protection services.