Massachusetts health plan hit with ransomware and service disruptions

Point32Health, the parent organization of Harvard Pilgrim Health Care and other health insurance plans, has taken HPHC systems offline, and providers are unable to confirm patient eligibility.
By Andrea Fox
08:06 AM

Photo: Karolina Grabowska/Pexels

As a result of a ransomware attack affecting Harvard Pilgrim Health Care commercial and Medicare Advantage Stride plans, HPHC parent company Point32Health says it is waiving prior authorizations for most medical and behavioral health-covered services and cannot accept claim submissions for Harvard Pilgrim commercial members at this time. 

WHY IT MATTERS

Point32Health, which is the second largest health insurer in the Bay State, also owns several other health plans that are thus far unaffected by the cyberattack. The company detected the presence of a malicious actor within its network on April 17, according to a statement on its website.

While the insurer indicated that it does not yet have evidence that protected health information was compromised, an online FAQ for members, providers and brokers indicated the following impacts to operations that affect providers and patients:

  • No files are going into or out of Harvard Pilgrim Health Care systems, including EDI, HRA/HSA and data warehouse extracts, and no electronic payments are being taken.
  • Prior authorizations for CAR-T cell therapy, gender-affirming surgical procedures and solid organ transplant surgeries are not waived – all others are waived until further notice.
  • Prior authorizations for pharmacy and medical benefit drugs are still required, because those systems continue to function normally.

Member enrollments being processed when systems went down could be denied at the pharmacy, the company noted in the FAQ. 

"We are actively working with Optum to load newly enrolled members into OptumRx," Point32Health says.

"If members are having difficulties filling a prescription, they should call the number on the back of their ID card, and a representative will work to ensure that their medication can be filled."

Some disruptions to care are being reported as providers and pharmacies may be concerned about a member's covered services and medications.

WCVB reported that a viewer was told at a CVS MinuteClinic that their health insurance was rejected and they would need to pay out of pocket. 

"I left the clinic without receiving care," the viewer reported.

According to the Boston Business Journal, Point32Health is currently in an open enrollment period for Massachusetts' state employees until May 5. New enrollees will receive temporary member ID cards, according to the Point32Health FAQ.

HPHC websites remain offline and are repointing to the Point32Health System Update statement and FAQ as of Monday morning.

THE LARGER TREND

A University of Minnesota Public Health study published recently in JAMA found that half of the ransomware attacks from 2016-2021 disrupted healthcare delivery.

While the disclosure of protected health information is always a concern for HIPAA-required organizations, disruptions to care can result in patient injury, and even death

"Common disruptions included electronic system downtime, 41.7%, cancellations of scheduled care, 10.2%, and ambulance diversion 4.3%," according to the researchers.

While provider organizations are often the primary targets for cyberattacks in the healthcare sector, insurers and other sources of high-value healthcare data are also attacked. 

The French health insurance company Mutuelle Nationale des Hospitaliers experienced a RansomExx ransomware attack that disrupted the company's healthcare operations in 2021. 

Last month, the DC Health Link insurance marketplace experienced a security breach that compromised the personal data of numerous House of Representative members, spouses, dependents and employees in both parties, according to a Politico report.

ON THE RECORD

"While we work diligently to restore affected systems as quickly and as safely as possible, our team is working around the clock to ensure Harvard Pilgrim Health Care members receive the services they need," according to Point32Health in its statement.

"We take the privacy and security of the data entrusted to us seriously. If during our investigation we determine any individuals’ sensitive information is involved in this incident, we will notify them according to applicable law."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.