2.5 million individuals impacted following ransomware against Harvard Pilgrim Health Care

Last week, Harvard Pilgrim Health Care (HPHC), a Massachusetts-based non-profit health services provider released a data breach notice disclosing that a ransomware attack it suffered in April 2023 impacted 2,550,922 people, as well as the threat actors stealing their sensitive data from compromised systems.

The notice revealed that the threat actors had maintained access to HPHC’s systems between March 28 and April 17, 2023, and had exfiltrated sensitive data from HPHC’s network. The stolen files include the following types of sensitive information:

• Full names
• Physical addresses
• Phone numbers
• Dates of birth
• Health insurance account information
• Social Security numbers
• Provider taxpayer-identification numbers
• Clinical information, including medical history, diagnoses, treatment, dates of service, and provider names

In the notice, HPHC clarified that the incident impacted current and former members of Harvard Pilgrim, who had a registration date starting on March 28, 2012.  In response to the data breach, HPHC has provided credit monitoring and identity theft protection services to safeguard individuals impacted by this security incident. No ransomware group has yet claimed responsibility for the attack on HPHC, according to the information available at this time.