Multiple lawsuits accuse Harvard Pilgrim Health Care and its parent company Point32Health of "willful failure" to uphold their responsibilities to protect personally identifiable information and protected health information.

WHY IT MATTERS

Attorneys for Valeria Salerno Gonzales, a member of HPHC, filed a four-count, 32-page lawsuit for a jury trial against HPHC and Point32Health in Massachusetts court alleging damages and future damages to the health insurer's upwards of 2.5 million members, according to a report Tuesday in The Harvard Crimson.

Salerno Gonzalez v. Harvard Pilgrim Health Care Inc. et al alleges HPHC's "reckless and grossly negligent" approach to foreseeable risks and known threats. 

"As a proximate and foreseeable result of Defendants’ grossly negligent conduct, plaintiff and class members have suffered damages and are at imminent risk of additional harms and damages," the lawsuit reads.

Additional lawsuits allege HPHC violated the HIPAA Security Rule, the HIPAA Journal reported. 

Tracie Wilson v. Harvard Pilgrim Health Care, Inc. and Point32Health, Inc. alleges damages in part based on delay – the time it took the defendants to detect and report the breach. 

The plaintiff reported an increase in spam texts and calls after the breach, as well as anxiety, stress, sleep disruption and fear, according to the story.

On June 8, Point32Health posted a systems update asserting that providers should continue providing care to HPHC members and that services will be covered.

"We have made significant progress in bringing our systems back online and processing various business transactions," Point32Health spokesperson Kathleen Makela said in a statement to the Harvard University publication. 

She reportedly noted that information sharing with partners has resumed and more core functions will be coming back online in the weeks ahead.

"Our primary focus during recovery is to make sure members and our customers receive the care and services they need as quickly and as safely as possible." 

HPHC, founded by a former Harvard Medical School dean, is not part of Harvard University, the Crimson says. 

In the year 2000 when the insurer went into receivership with now former Massachusetts' Governor Charlie Baker appointed as receiver, the state sued the university to keep Harvard in its name. Point32Health was formed when HPHC merged with Tufts Health Plan in 2021.

THE LARGER TREND

In May, Point32Health confirmed the health data breach involving HPHC – data was copied and taken from the healthcare payer's systems during a cyberattack that occurred between March 28 and April 17.

HPHC, which has members in Massachusetts, New Hampshire, Maine and Connecticut, said exfiltrated data may have included names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers and clinical information. 

While providers are targeted by cybercriminals, cybersecurity experts have called for the entire healthcare ecosystem – including payers and pharma – to work together, according to Greg Conti, principal with Kopidion, and a trainer with Black Hat for nearly nine years.

"Detecting and mitigating attacks early in the kill chain can stop attacks before we feel the effects," he told Healthcare IT News.

"Sharing of threat information and creating visibility and situational awareness for not just an individual company but the healthcare industry as a whole will allow you to see attacker activity in advance and take appropriate measures."

ON THE RECORD

"Our system recovery efforts are focused on priority areas of the business, such as eligibility and enrollment; continuity of care, utilization management and prior authorizations; provider payments; claims processing for medical and behavioral health; sales and renewals and the remainder of business functions," Makela reportedly said in a statement.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.