This notice serves to provide you with an update on our ransomware incident that took place on April 17. We are continuing our active investigation and conducting extensive system reviews and analysis before we can resume our normal business operations. Unfortunately, the investigation identified signs that data was copied and taken from our Harvard Pilgrim Health Care (“Harvard Pilgrim”) systems between March 28, 2023, and April 17, 2023. We determined that the files at issue may contain personal information and/or protected health information for current and former subscribers and dependents and current contracted providers.
We want to assure you that we take the privacy and security of the data entrusted to us very seriously, and we deeply regret any inconvenience this incident may cause.
What Happened
On April 17, Harvard Pilgrim discovered a cybersecurity ransomware incident that impacted systems that support Harvard Pilgrim Health Care (HPHC) Commercial and Medicare Advantage StrideSM plans (HMO)/(HMO-POS). We are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.
What Information Was Involved
The personal information in the files at issue may include your name, Social Security number, and taxpayer identification number. We are not aware of any misuse of your personal information or protected health information as a result of this incident.
What We Are Doing
As explained above, we took immediate steps to secure our systems and engaged third-party forensic experts to assist in the investigation. Further, in response to this incident, we implemented and/or are continuing to implement additional cybersecurity safeguard to our existing robust infrastructure to better minimize the likelihood of this type of event occurring again.
Additionally, we are providing you with the opportunity to register for two (2) years of complimentary credit monitoring and identity protection services through IDX. Although we are making these services available to you, we are unable to enroll you directly. For enrollment instructions, please review the information below, Steps You Can Take to Protect Personal Information.
What You Can Do
We recommend that you remain vigilant, monitor and review all of your financial and account statement, and report any unusual activity to the institution that issued the record and to law enforcement. You may also review the guidance contained in Steps You Can Take to Protect Personal Information.
For More Information
The security of your protected health information is a top priority for us. We sincerely regret this incident occurred and for any concern it may cause you. We understand that you may have additional questions. For assistance with questions regarding this incident, please call our dedicated call center, IDX, at (888) 220-5517. Representatives are available between the hours of 9:00 am to 9:00 pm Eastern time, Monday through Friday (excluding U.S. holidays).
In addition to this notification about your data, we want to make you aware that we are notifying current and former subscribers and dependents whose information may have been potentially impacted.
Steps you can take to protect your personal information
Enrollment Code: QE3U9P6XL
Go to https://response.idx.us/HPHC and follow the instructions for enrollment using your Enrollment Code above. Additionally, you may call the IDX call center at (888) 220-5517 (toll free), Monday through Friday from 9:00 a.m. to 9:00 p.m. ET, excluding U.S. holidays.
Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Consumers may also directly contact the three major credit reporting bureaus listed below to request a free copy of their credit report.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If consumers are the victim of identity theft, they are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should consumers wish to place a fraud alert, please contact any of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. A security freeze essentially blocks any potential creditors from being able to view or pull your credit file unless you affirmatively unfreeze or thaw your file beforehand. Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit, mortgage and bank accounts. When you place a freeze, each credit bureau will assign you a personal identification number (PIN) that needs to be supplied when you open a new line of credit. When that time comes, consumers can temporarily thaw a freeze for a specified duration either online or by phone. However, consumers should be aware that using a credit freeze to take control over who gets access to the personal and financial information in their credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application they make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, consumers cannot be charged to place or lift a credit freeze on their credit report. To request a credit freeze, individuals may need to provide some or all of the following information:
Full name (including middle initial as well as Jr., Sr., II, III, etc.);
Social Security number;
Date of birth;
Addresses for the prior two to five years;
Proof of current address, such as a current utility bill or telephone bill;
A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if they are a victim of identity theft.
Should consumers wish to place a credit freeze or fraud alert, please contact the three major credit reporting bureaus listed below:
TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094
Consumers may further educate themselves regarding identity theft, fraud alerts, credit freezes, and the steps they can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or their state Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. Consumers can obtain further information on how to file such a complaint by way of the contact information listed above. Consumers have the right to file a police report if they ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, consumers will likely need to provide some proof that they have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and the relevant state Attorney General. This notice has not been delayed by law enforcement. The following is information required by applicable state law:
For District of Columbia residents, the District of Columbia Attorney General may be contacted at: 400 6th Street, NW, Washington, D.C. 20001; 202-727-3400; and oag.dc.gov.
For Maryland residents, the Maryland Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-410-528-8662 or 1-888-743-0023; and https://www.marylandattorneygeneral.gov/.
For New Mexico residents, consumers have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in their credit file has been used against them, the right to know what is in their credit file, the right to ask for their credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to consumers’ files is limited; consumers must give consent for credit reports to be provided to employers; consumers may limit “prescreened” offers of credit and insurance based on information in their credit report; and consumers may seek damages from violators. Consumers may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active-duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage consumers to review their rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.
For New York residents, the New York Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; or https://ag.ny.gov.
For North Carolina residents, the North Carolina Attorney General may be contacted at: 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; and www.ncdoj.gov.
For Rhode Island residents, the Rhode Island Attorney General may be reached at: 150 South Main Street, Providence, RI 02903; www.riag.ri.gov; and 1-401-274-4400. Under Rhode Island law, individuals have the right to obtain any police report filed in regard to this event.