Harvard Pilgrim health network updates data breach total to nearly 2.9 million

Harvard Pilgrim Health Care said the number of people affected by a ransomware attack last spring is larger than originally stated.

The New England health insurance firm was attacked by a still-unidentified ransomware gang on April 17, 2023, limiting service for days. The company has submitted multiple different breach notification letters to regulators in Maine since the incident, with the latest upping the figure to 2,860,795, an increase of about 12 percent over the original total.

It’s the latest example of how the number of people impacted by data breaches can expand as investigations into incidents evolve. A 2021 cyberattack on T-Mobile was originally believed to have affected about 50 million people in the U.S., but that number was later revised to 76.6 million. 

A similar incident occurred last year, when hackers attacked a popular file transfer tool used by dozens of governments and companies. The government of Nova Scotia was forced to expand its warnings after realizing more people were affected than previously understood. 

The attackers were in Harvard Pilgrim’s systems from March 28, 2023 to April 17, 2023. Harvard Pilgrim Health Care worked with federal law enforcement and cybersecurity firms to resolve the incident.

Harvard Pilgrim said the files involved may contain personal data and protected health information on current and former subscribers and dependents, as well as current contracted providers. The nonprofit serves more than 1.1 million members who primarily reside in Massachusetts, New Hampshire, Maine and Connecticut.

The company’s parent, Point32Health, formed in 2021 when Harvard Pilgrim and Tufts Health Plan were merged, serving more than 2.2 million people overall. The company is the second-largest insurer in Massachusetts and the state’s previous governor, Charlie Baker, was chief executive of Harvard Pilgrim Health Care for a decade.