The second largest health insurer in Massachusetts was the victim of a ransomware attack in which sensitive personal information as well as the health information of current and past members may have been compromised, company officials said.
point32health It said in a statement on its website on Tuesday that a “cybersecurity ransomware incident” affecting its Harvard Pilgrim Health Care Program was detected on April 17.
An ongoing investigation indicated that from March 28 to April 17, members’ addresses, phone numbers, dates of birth, Social Security numbers, medical histories, treatments, dates of service, provider names and other information may have been compromised.
The nonprofit said it was not aware of any misuse of the information. It did not say how many people may be affected.
“We are working with third-party cyber security experts to thoroughly investigate this incident and rectify the situation,” the statement said. Harvard Pilgrim is taking steps to strengthen its cyber security.
Company spokeswoman Kathleen Makela said Wednesday via email that the company will notify those whose information may have been involved.
The company also contacted the FBI. An FBI spokeswoman said the agency had no comment.
According to the company’s website, Harvard Pilgrim Health Care provides services to more than 1.1 million members in Massachusetts, New Hampshire, Maine and Connecticut.
In ransomware attacks, hackers lock down a computer network and demand money to unlock it. Point32Health did not say whether it paid the ransom or not.
Law enforcement agencies, school systems, energy infrastructure, and health systems have all been victims of such attacks in recent years.
The Harvard Pilgrim breach affected systems used for service members, brokers and providers, and some operations remained closed.
Many of these systems are expected to be restored in the coming weeks, according to Makela.
“We are currently going through internal IT and business validation. Once this process is complete, some of our processes will be available in a phased manner, along with our full security audit,” she wrote.
The insurer said it has been able to ensure its members have access to care.
Other Point32Health companies like Tufts Health Plan and CarePartners of Connecticut were not affected.