The healthcare sector is one of the most heavily targeted industries by cybercriminals and Harvard Pilgrim Healthcare (HPHC) is one of the latest targets. An April ransomware attack compromised the PPI and PHI of 2.5 million members of the Massachusetts-based company, which has led to multiple class action lawsuits against the company and its parent company, Point32Health.
The appeal of targeting healthcare companies by cybercriminals shows no signs of slowing down in 2023. According to the U.S. government’s OCR (Office for Civil Rights) the healthcare firms reported 145 data breaches in the first three months of 2023 alone. In 2022, nearly 50 million Americans were affected by breaches of health data. Hospitals and health systems have been hit with scores of ransomware attacks, and cybersecurity experts say attackers are targeting smaller hospitals as they tend to be even more vulnerable.
Point32Health is the second largest insurer in Massachusetts and serves more than 2.4 million customers. The data from Harvard Pilgrim Healthcare (which is not affiliated with Harvard University, but founded by a former Harvard Medical School dean) was copied and taken from the healthcare payer’s systems during a cyberattack that occurred between March 28 and April 17.
HPHC, which has members in Massachusetts, New Hampshire, Maine and Connecticut, said exfiltrated data may have included names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers and clinical information.
At least four lawsuits have been filed in the U.S. District Court for the District of Massachusetts in response to the attack. The lawsuits claim the health insurer failed to implement reasonable cybersecurity measures to ensure the confidentiality of members’ information.
The attack is just one of several large data breaches impacting the healthcare sector in 2023, including a ransomware attack on Regal medical Group out of southern California, which exposed the data of 3.3 million people, and telehealth company Cerebral, which potentially disclosed information from 3.1 million people.
While providers are specifically targeted by cybercriminals, cybersecurity experts are emphasizing that the entire healthcare ecosystem as a whole – including payers and pharma – needs to work together, according to Greg Conti, principal with cybersecurity training and professional services firm Kopidion.
“Detecting and mitigating attacks early in the kill chain can stop attacks before we feel the effects,” he told Healthcare IT News. “Sharing of threat information and creating visibility and situational awareness for not just an individual company but the healthcare industry as a whole will allow you to see attacker activity in advance and take appropriate measures.”