Harvard Pilgrim Health Care (HPHC), a non-profit health services provider based in Massachusetts, has disclosed a ransomware attack that affected 2,550,922 individuals and resulted in the theft of their sensitive data.
The attack occurred between March 28 and April 17, 2023, but was only discovered recently. An investigation conducted with the help of cybersecurity experts revealed that the attackers exfiltrated a wide range of sensitive information, including names, addresses, social security numbers, and clinical data.
HPHC has notified the U.S. Department of Health and Human Services about the breach, as it affects nearly all of its members. The organization is currently conducting an active investigation and extensive system reviews to understand the full extent of the incident before resuming normal business operations.
The stolen data poses a risk to affected individuals, as it could be used in phishing or social engineering attacks. However, HPHC has not yet identified any cases of data misuse.
In response to the breach, HPHC is offering credit monitoring and identity theft protection services to protect individuals impacted by the incident. It’s crucial to note that ransomware gangs often exploit stolen data as leverage to pressure victims into paying ransoms.
If victims refuse to comply, the attackers may sell the data or release it publicly. At present, no ransomware group has claimed responsibility for the attack on HPHC. Current and former members are advised to exercise caution when receiving unsolicited messages and to remain vigilant for an extended period of time.