Another Massachusetts Healthcare Organization Hit by Cybercriminals

I just want to come out and say it: if your business has any interaction with the healthcare industry, you need to have your cybersecurity audited. While we certainly didn’t need another example of why this is so important, the ransomware attack aimed at Harvard Pilgrim Health Care has given us one.

Let’s briefly go over what happened, and come back to why it clearly demonstrates that proper cybersecurity simply cannot be taken for granted.

In Short, a Ransomware Attack Has Made Operations Difficult for Mass’ Second-Largest Insurer

As the result of a ransomware attack that was first discovered on April 17th, Harvard Pilgrim Health Care—owned by Point32Health—was rendered unable to accept submissions for its commercial members and has resultantly needed to waive any prior authorization requirements for covered services.

What’s worse, while there was initially no evidence of any data theft taking place, Point32Health has since disclosed that their investigation showed signs that HPHC data had been copied and extracted from their systems in the span of time between March 28 and April 17. This data reportedly includes personal information and protected health information for current as well as former subscribers and their dependents, along with healthcare providers currently contracted with HPHC.

According to HPHC’s official notice concerning the data security incident: “We determined that the files at issue may contain the following types of personal information and/or protected health information: names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information (e.g., medical history, diagnoses, treatment, dates of service, and provider names).”

The insurance provider has since established a call center to field questions from their subscribers and is offering complimentary credit monitoring and identity theft protection. However, this doesn't change the fact that a lot of people could have potentially been impacted, as HPHC serves over 1.1 million members throughout Massachuesetts, New Hampshire, Maine, and Connecticut…and it certainly doesn’t change the fact that this is just another example of an ongoing pattern.

Healthcare and Related Industries are a Favored Target of Cybercriminals

According to a study conducted by the University of Minnesota and other institutions, ransomware attacks more than doubled between 2016 and 2021…and nearly half of these attacks (44.4%) had an impact on healthcare delivery.

This is not a good statistic to see…and it is only made worse when paired with another finding: only about one in five affected healthcare organizations are able to restore their data from a backup. The same study also revealed that this stolen data was commonly made public and put up for sale. Again, not good.

All of this is part of a larger pattern that has been slowly revealing itself through studies and polls: ransomware attacks against healthcare are on the rise. Sophos conducted a poll back in June 2022 that said as much when it revealed that such attacks doubled between 2020 and 2021—and that these attacks were more complex, too.

Of course, given the nature of the healthcare industry, these attacks take on an even darker edge when you consider the potential consequences. Data theft is bad enough, but ransomware can have even worse impacts. Without the data they need, healthcare organizations can’t properly do their jobs… meaning that the people they care for can get seriously hurt, or worse.

You Need to Make Sure Your House is in Order

Ransomware is not to be taken lightly, no matter what your business does, who you serve, or the data you collect—but given what we’ve just discussed, it’s literally a matter of life and death for the healthcare industry. As we said from the start, it is only becoming more and more urgent that any business with any interaction with healthcare processes undergoes a complete cybersecurity audit to identify weak points in their defenses so that these weaknesses can be corrected. My team and I are here to help you accomplish just that.

I cannot urge you enough to reach out to Datalyst so that we can take a look at your cybersecurity and ensure that all potential issues and vulnerabilities are found and addressed. Please do not hesitate to reach out to us at (774) 213-9701 to learn more.