Massachusetts insurance regulators have opened an investigation into a cyber attack on one of the state\’s largest health insurance providers.
The insurance division is monitoring the Point32Health data breach, which may have compromised personal data including addresses, medical histories and Social Security numbers of current and former Harvard Pilgrim Health Care policyholders, according to Margaret Quackenbush, a spokeswoman for the Executive Office of Housing and Economic Development.
The insurance giant, which is the parent company of Harvard Pilgrim, informed members last week that an investigation into a ransomware attack identified last month determined that patient information may have been stolen.
In addition to examining how the data breach could impact the business, healthcare providers, and members using insurance, the State Insurance Division has been in contact with Point32Health to provide consumers and providers with resources to address the adverse credit or other financial consequences of the breach, Quackenbush said. State regulators are required to monitor the creditworthiness and market conduct of insurers, and officials want to ensure the situation is being adequately addressed because a data breach could affect an insurer\’s financial condition and, by extension, consumers and customers. providers.
Quackenbush did not provide a copy of the notice the Division of Insurance sent to Point32Health regarding the review, suggesting a public records request was needed first.
Under the state\’s Office of Consumer Affairs and Business Regulation, a business must notify that office, the Attorney General\’s Office, and affected consumers within a reasonable amount of time after discovery of a violation or knowledge of obtaining information personal.
However, Quackenbush said Point32Health has not yet sent the consumer affairs office written notice of the violation. The company first identified the cyberattack on April 17 and announced on Tuesday that patient information may have been copied and harvested from Harvard Pilgrim\’s systems between March 28 and April 17.
According to the state, notification must include the number of Massachusetts residents affected at the time of notification, information about any law enforcement involvement in the incident investigation, and a detailed description of the nature and circumstances of the security breach or of the unauthorized acquisition or use of personal information, among other things.
Through Point32Health did not send an official notice of the incident, the company has been in contact with the Office of Consumer Affairs and Business Regulation to inform them that it is conducting an internal investigation into what data was breached and whether it contained personal health information , Quackenbush said.
When asked to share any formal notification to state authorities about the violation, Harvard Pilgrim spokeswoman Kathleen Makela said in an email Thursday that the insurer forwarded them the same information available on our website.
The insurer also declined to offer an estimate of the number of people potentially affected by its breach. Makela said the insurer notified people whose information may have been involved in the accident and notified them through their employers, website and media coverage.
We will also start sending notices to those people for whom we have valid postal addresses in the coming weeks, Makela wrote to the News Service.
Point32Health has notified the Office of Consumer Affairs and Business Regulation that it has hired a third party to handle consumer inquiries about the violation, according to Quackenbush, and is offering credit monitoring services through IDX. The insurance giant is also working with an external company to improve safety.
Alison Kuznitz contributed to this report.
#Insurance #regulators #Point32Health #data #breach #Boston #Globe