Tufts Health Plan provides update on 2023 Harvard Pilgrim Health Care data security incident

Tufts Health Plan is providing an update on the 2023 Harvard Pilgrim Health Care (“Harvard Pilgrim”) data security incident.

On April 17, 2023, Harvard Pilgrim discovered a cybersecurity ransomware incident that impacted Point32Health systems that primarily provided support for the Harvard Pilgrim lines of business, but which may have maintained some Tufts Health Plan member information as a result of the combination of Harvard Pilgrim and Tufts Health Plan in January of 2021. Since discovering the incident we have been working with a third-party expert in a continuous effort to identify individuals whose information may have been impacted by the incident.

We take the privacy and security of the data entrusted to us seriously. We conducted extensive system reviews and analysis before resuming our normal business operations. Unfortunately, the investigation identified signs that data was copied and taken from our Harvard Pilgrim systems from March 28, 2023, to April 17, 2023.

We recently determined that the files at issue may contain the following types of personal information and/or protected health information related to a subset of current and former Tufts Health Plan members: names, physical addresses, phone numbers, dates of birth, email addresses, health insurance account information, Social Security numbers, clinical information (e.g., medical history, diagnoses, treatment, dates of service, and provider names) and, for a limited number of individuals, financial account numbers, payment card numbers, and driver’s license numbers. We are not aware of any misuse of personal information or protected health information as a result of this incident.

We have established a dedicated call center for individuals to contact with questions or concerns and for potentially impacted individuals to enroll in complimentary credit monitoring and identity theft protection services. If you have any questions regarding this incident, please contact the dedicated assistance line, which can be reached at 877-202-5504 (toll free), Monday through Friday from 9:00 AM to 9:00 PM ET, excluding U.S. holidays. For general guidance on how to protect against identity theft and fraud, please see the below Steps You Can Take to Protect Personal Information.

Harvard Pilgrim has implemented additional data security enhancements and safeguards to better protect against similar events in the future. We remain committed to safeguarding the privacy and security of information we collect in providing services to our members.

Steps you can take to protect personal information

Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 877-322-8228. Consumers may also directly contact the three major credit reporting bureaus listed below to request a free copy of their credit report.

Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If consumers are the victim of identity theft, they are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should consumers wish to place a fraud alert, please contact any of the three major credit reporting bureaus listed below.

As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in a consumer’s name without consent. However, consumers should be aware that using a credit freeze to take control over who gets access to the personal and financial information in their credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application they make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, consumers cannot be charged to place or lift a credit freeze on their credit report. To request a credit freeze, individuals may need to provide some or all of the following information:

1. Full name (including middle initial as well as Jr., Sr., II, III, etc.);
2. Social Security number;
3. Date of birth;
4. Addresses for the prior two to five years;
5. Proof of current address, such as a current utility bill or telephone bill;
6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
7. A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if they are a victim of identity theft.

Should consumers wish to place a credit freeze or fraud alert, please contact the three major credit reporting bureaus listed below:

Equifax

• https://www.equifax.com/personal/credit-report-services/
• 888-298-0045
• Equifax Fraud Alert, P.O. Box 105069 Atlanta, GA 30348-5069
• Equifax Credit Freeze, P.O. Box 105788 Atlanta, GA 30348-5788

Experian

• https://www.experian.com/help/
• 888-397-3742
• Experian Fraud Alert, P.O. Box 9554, Allen, TX 75013
• Experian Credit Freeze, P.O. Box 9554, Allen, TX 75013

TransUnion

• https://www.transunion.com/credit-help
• 800-916-8800
• TransUnion Fraud Alert, P.O. Box 2000, Chester, PA 19016
• TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094