Notice of Data Security Incident

Harvard Pilgrim Health Care (“Harvard Pilgrim”) is providing notice of a data security incident that may affect the privacy of certain individuals’ protected health information and/or personal information.

On April 17, 2023, Harvard Pilgrim discovered a cybersecurity ransomware incident that impacted systems that support Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS). We are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.

We take the privacy and security of the data entrusted to us seriously. As we resume our normal business operations, we are continuing our active investigation and extensive system reviews. Unfortunately, the investigation identified signs that data was copied and taken from our Harvard Pilgrim systems from March 28, 2023, to April 17, 2023. We want to assure you that we are taking this incident extremely seriously, and we deeply regret any inconvenience this incident may cause.

We determined that the files at issue may contain the following types of personal information and/or protected health information: names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information (e.g., medical history, diagnoses, treatment, dates of service, and provider names). We are not aware of any misuse of personal information or protected health information as a result of this incident.


Harvard Pilgrim has established a dedicated call center for individuals to contact with questions or concerns and for potentially impacted individuals to enroll in complimentary credit monitoring and identity theft protection services. If you have any questions regarding this incident, please contact the dedicated assistance line at IDX, which can be reached at 888-220-5517 (toll free), Monday through Friday from 9:00 AM to 9:00 PM ET, excluding U.S. holidays. If members have any questions about other issues unrelated to this ransomware incident or are being denied care, please call the number on the back of your Harvard Pilgrim member ID card for assistance. If providers have questions, please contact the Provider Service Center by email at provider_callcenter@point32health.org.


Harvard Pilgrim continues to take steps to implement additional data security enhancements and safeguards to better protect against similar events in the future. We remain committed to safeguarding the privacy and security of information we collect in providing services to our members.
 

Frequently asked questions

You may have been impacted if you are a current or former member of Harvard Pilgrim (including individual and family plans purchased directly from us, state-based exchanges or plans selected through your employer) between March 28, 2012, and April 17, 2023, or if you are a provider currently contracted with Harvard Pilgrim.

You may also have been impacted if you are a current or former member of Health Plans Inc. between June 1, 2020, and April 17, 2023. Harvard Pilgrim is still investigating this incident and will provide updates if the investigation determines additional individuals may potentially be impacted.

System limitations impacted coverage under Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans. Tufts Health Plan, Tufts Medicare Preferred, Tufts Health Public Plans and CarePartners of Connecticut systems were accessible throughout the incident.

Harvard Pilgrim Health Care commercial plan members: Call the number on the back of your ID card. If you do not have your ID card available, please call 888-333-4742 (TTY: 711). Representatives are available Mondays, Tuesdays and Thursdays from 8 a.m. to 6 p.m.; Wednesdays from 10 a.m. to 6 p.m.; and Fridays from 8 a.m. to 5:30 p.m.

Harvard Pilgrim Health Care Medicare Advantage StrideSM (HMO)/(HMO-POS) plan members: Call 888-609-0692 (TTY: 711). Representatives are available Monday through Friday from 8 a.m. to 8 p.m.

Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 877-322-8228. Consumers may also directly contact the three major credit reporting bureaus listed below to request a free copy of their credit report.

Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If consumers are the victim of identity theft, they are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should consumers wish to place a fraud alert, please contact any of the three major credit reporting bureaus listed below.

As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in a consumer’s name without consent. However, consumers should be aware that using a credit freeze to take control over who gets access to the personal and financial information in their credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application they make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, consumers cannot be charged to place or lift a credit freeze on their credit report. To request a credit freeze, individuals may need to provide some or all of the following information:

  1. Full name (including middle initial as well as Jr., Sr., II, III, etc.);
  2. Social Security number;
  3. Date of birth;
  4. Addresses for the prior two to five years;
  5. Proof of current address, such as a current utility bill or telephone bill;
  6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
  7. A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if they are a victim of identity theft.

Equifax
https://www.equifax.com/personal/credit-report-services/

1-888-298-0045

Equifax Fraud Alert,
P.O. Box 105069
Atlanta, GA 30348-5069

Equifax Credit Freeze,
P.O. Box 105788
Atlanta, GA 30348-5788


Experian
https://www.experian.com/help/

1-888-397-3742

Experian Fraud Alert,
P.O. Box 9554,
Allen, TX 75013

Experian Credit Freeze,
P.O. Box 9554,
Allen, TX 75013
 

TransUnion
https://www.transunion.com/credit-help

1-800-916-8800

TransUnion Fraud Alert,
P.O. Box 2000,
Chester, PA 19016

TransUnion Credit Freeze,
P.O. Box 160,
Woodlyn, PA 19094

 

 

These investigations often take time to fully complete and sometimes only reveal limited additional information, the investigation is progressing. By June 15, 2023, we began the process of mailing written notifications to all potentially impacted individuals, such as current and former health plan subscribers and dependents including former members of employer groups no longer active with Harvard Pilgrim, dating back to March 28, 2012, for whom we have up to date contact information. Those individuals for whom we do not have up to date contact information have been notified through the above notice, posted on our public website consistent with the substitute notice requirement set forth in the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.

Harvard Pilgrim is offering complimentary access to two (2) years of credit monitoring and identity theft protection services through IDX for potentially impacted individuals. The services offered include 1-bureau credit monitoring (CM), CyberScan web monitoring to detect illegal selling or trading of personal information, up to $1M in ID Theft Insurance, and assistance with fraud resolutions. The services are noted on the IDX Harvard Pilgrim informational website here.

Point32Health is offering complimentary credit monitoring and identity theft protection services to all individuals (adults and minors) who may potentially be impacted. You may have been impacted if you are a current or former member of Harvard Pilgrim (including individual and family plans purchased directly from us, state-based exchanges or plans selected through your employer) between March 28, 2012, and April 17, 2023, or if you are a provider currently contracted with Harvard Pilgrim. Potentially impacted individuals will need to provide some personal information for our dedicated IDX call center to verify your identity and allow for the monitoring of your credit. You can be assured that IDX and the enrollment website provided is a legitimate third-party provider of credit monitoring services. Please note that each enrollee (adult or minor) will receive their own individual credit monitoring account.

Individuals enrolling for credit monitoring service online via the enrollment code on their mailed notice must provide an email address. If you do not have an email address, or do not want to provide it, you will need to call the dedicated IDX assistance line to enroll, which can be reached at 888-220-5517 (toll free), Monday through Friday from 9:00 AM to 9:00 PM ET, excluding U.S. holidays. Enrollees who do not provide email addresses will receive credit alert notifications via US Mail.

Anyone who received a notice will receive 2 years of free credit monitoring running from the date that the individual enrolls. The deadline for enrollment is November 23, 2023.