As a result of a ransomware attack affecting Harvard Pilgrim Health Care commercial and Medicare Advantage Stride plans, HPHC parent company Point32Health says it is waiving prior authorizations for most medical and behavioral health-covered services and cannot accept claim submissions for Harvard Pilgrim commercial members at this time.
WHY IT MATTERS
Point32Health, which is the second largest health insurer in the Bay State, also owns several other health plans that are thus far unaffected by the cyber attack. The company detected the presence of a malicious actor within its network on April 17, according to a statement on its website.
While the insurer indicated that it does not yet have evidence that protected health information was compromised, an online FAQ for members, providers and brokers indicated the following impacts to operations that affect providers and patients:
- No files are going into or out of Harvard Pilgrim Health Care systems, including EDI, HRA/HSA and data warehouse extracts, and no electronic payments are being taken.
- Prior authorizations for CAR-T cell therapy, gender-affirming surgical procedures and solid organ transplant surgeries are not waived – all others are waived until further notice.
- Prior authorizations for pharmacy and medical benefit drugs are still required because those systems continue to function normally.
Member enrollments being processed when systems went down could be denied at the pharmacy, the company noted in the FAQ.
“We are actively working with Optum to load newly enrolled members into OptumRx,” Point32Health says.
“If members are having difficulties filling a prescription, they should call the number on the back of their ID card, and a representative will work to ensure that their medication can be filled.”
Some disruptions to care are being reported as providers and pharmacies may be concerned about a member’s covered services and medications.
WCVB reported that a viewer was told at a CVS MinuteClinic that their health insurance was rejected and they would need to pay out of pocket.
“I left the clinic without receiving care,” the viewer reported.
According to the Boston Business Journal, Point32Health is currently in an open enrollment period for Massachusetts’ state employees until May 5. New enrollees will receive temporary member ID cards, according to the Point32Health FAQ.
HPHC websites remain offline and are repointing to the Point32Health System Update statement and FAQ as of Monday morning.
THE LARGER TREND
A University of Minnesota Public Health study published recently in JAMA found that half of the ransomware attacks from 2016-2021 disrupted healthcare delivery.
While the disclosure of protected health information is always a concern for HIPAA-required organizations, disruptions to care can result in patient injury and even death.
“Common disruptions included electronic system downtime, 41.7%, cancellations of scheduled care, 10.2%, and ambulance diversion 4.3%,” according to the researchers.
While provider organizations are often the primary targets for cyber attacks in the healthcare sector, insurers and other sources of high-value healthcare data are also attacked.
The French health insurance company Mutuelle Nationale des Hospitaliers experienced a RansomExx ransomware attack that disrupted the company’s healthcare operations in 2021.
Last month, the DC Health Link insurance marketplace experienced a security breach that compromised the personal data of numerous House of Representative members, spouses, dependents and employees in both parties, according to a Politico report.