Health insurer hack means questions but still few answers for Mainers

Nearly 80,000 Mainers may have lost personal information to computer hackers who attacked one of the state’s largest health insurance companies in April. More than a month later, the extent of the damage is still unknown.

Harvard Pilgrim Health Care was the victim of a “cybersecurity ransomware incident” discovered on April 17. The incident is among a growing number of cyberattacks in the health care sector.

Although health care providers say services for patients insured by Harvard Pilgrim aren’t being interrupted, the attack has caused disruptions for some members, who have been unable to retrieve billing information or log into their HPHC accounts.

Hackers accessed sensitive personal data – possibly including names, addresses, birth dates, Social Security numbers and medical histories – over a nearly three-week span from March 28 to April 17, Harvard Pilgrim said on its website last week. The breach affected a variety of information systems that serve members, insurance brokers and providers. Many functions, including logins for members, remained offline Tuesday.

Kathleen Makela, a spokesperson for parent company Point32Health, expects some systems to be back online over the next several weeks.

Makela said the company was not aware of any misuse of the information. But because personal data is stolen, sold and used so frequently and in so many ways, the illicit activity can be extremely difficult to trace to any single breach and to stop from being shared. The results, such as fraudulent purchases and identity theft, often appear months later. In many cases, a lag time before consumers are warned of a data breach may increase its danger.

Makela said Harvard Pilgrim is currently notifying members about the breach through their employers, the website posts and news media coverage. She said the company also plans to start mailing notices to members in coming weeks.

As of Tuesday, the hack had yet to appear on a state-maintained log of data breaches affecting Maine consumers. Maine law requires organizations that handle personal information to notify consumers of a potential data breach “as expediently as possible and without unreasonable delay.”

In Massachusetts, which has a similar requirement, state insurance regulators have opened an investigation into the cyberattack and Point32Health’s failure to provide written notice of the breach, the Boston Business Journal reported.

Harvard Pilgrim, a not-for-profit company headquartered in Canton, Massachusetts, did not say how many of its 1.1 million members across New England might be affected. The company insures about 79,000 people in Maine, Makela said, making it the second-largest health insurer in the state after Anthem Health Plans of Maine.

Mainers can continue to access care, she added. That pledge was repeated by spokespeople from the state’s two largest health care systems, MaineHealth and Northern Light Health, and InterMed P.A., a large medical practice based in Portland. All said patients would continue to receive full, uninterrupted services, regardless of their insurance providers.

LUCRATIVE INFORMATION

Data breaches targeting the health care sector have risen steadily over the last decade and doubled in the last three years, according to the Food and Drug Administration’s Office of Information Security. In the past month alone, breaches affecting Maine residents have included ones at health-related companies Apria Healthcare, Managed Care of North America, NationsBenefits and NextGen Healthcare.

Nick Knowlton, CEO of Dirigo Technology in Lewiston, said this increase is mainly due to the type of information and records health care organizations store and the importance of the data.

“Gaining access to health care records typically would give a bad actor enough information to steal a person’s identity (and) open accounts in their name,” Knowlton said.

“There is a lot of gain from medical records for a hacker.”

The records are more valuable than even credit card information, according to a November report by the Senate Intelligence Committee. Hackers can sell stolen medical files for as much as $1,000 apiece.

Health care practices have moved to almost entirely electronic records, which makes sensitive data more vulnerable to unauthorized access. The increase in electronic records has required stringent patient protection measures, and providers can face hefty fines if they’re found to have skimped on protections, Knowlton said.

Because of this, he added, hospitals tend to spend more on information security than most other industries.

Data suggests that money may be well spent. The average data breach costs the health care industry $10.1 million, up 42% since 2020, according to a report from IBM. That’s the highest of any industry and is more than the national average of $9.44 million.

Black Kite, a cyber-risk intelligence company, found that more than one-third of all cyberattacks in 2022 targeted the health care industry.

Sen. Angus King of Maine, an independent who co-chaired the federal Cyberspace Solarium Commission, said in a phone interview Friday that health care is one of the industries most vulnerable to cyberattacks.

The systems are decentralized and often lack the necessary resources to have a full staff working to fight against cybercrime.

Maine, in particular, is at risk because health care is provided by numerous small hospitals, medical practices and other providers spread across the state, he said.

King noted that the commission has made dozens of recommendations for how to improve the nation’s cybersecurity, most of which have become law.

“It’s an ever-evolving threat, there’s never a time when you can say ‘OK, we’re all set,’” he said. “The only facilities that haven’t been attacked are the ones that don’t know they were attacked.”