Insights

Harvard Pilgrim Health Care (HPHC), a Massachusetts-based nonprofit health services provider, announced that a ransomware attack occurring from March 28 to April 17, 2023, impacted about 2.55 million individuals. According to the disclosure made to the U.S. Department of Health and Human Services' breach portal, threat actors breached HPHC systems and stole sensitive data, affecting all its members. The breach was discovered on April 17, 2023, and the company has been conducting an extensive investigation with third-party cybersecurity experts since then.

The stolen data include highly sensitive information such as full names, addresses, phone numbers, dates of birth, health insurance account information, social security numbers, provider taxpayer identification numbers, and clinical data encompassing medical history, diagnoses, treatments, service dates, and provider names. This breach affects both current and former members of Harvard Pilgrim, who registered since March 28, 2012.

HPHC stated that it hadn't detected any misuse of the stolen data yet and was providing credit monitoring and identity theft protection services to those impacted. The incident is alarming as such data can potentially expose victims to phishing or social engineering attacks. In addition, it's common for ransomware gangs to exploit stolen data to pressure victims into paying ransoms, or sell it to other cybercriminals, or release it publicly if refused. No ransomware group has claimed responsibility for the HPHC attack yet. Members of HPHC are advised to be cautious of unsolicited messages and maintain vigilance for an extended period.