Parent of 2 Major Massachusetts Health Insurers Suffers Ransomware Attack

April 20, 2023 - Massachusetts-based Point32Health, the parent of Harvard Pilgrim Health Care and Tufts Health Plan, posted a notice on its website regarding a “cybersecurity ransomware incident” that it discovered on April 17. Harvard Pilgrim Health Care and Tufts Health Plan merged in 2021, creating one of the state’s largest health insurers.

The website notice stated that most of the impacted systems are on the Harvard Pilgrim Health Care side of the business. Point32Health took certain systems offline out of caution and has notified law enforcement of the incident.

“Our top priority is to ensure our members continue to have access to care,” the notice stated. “While we work diligently to restore the impacted systems as quickly and as safely as possible, our team is working around the clock to provide workarounds for members to receive the services they need.”

It is unclear at this time how many individuals were impacted by the incident. Point32Health directed members who need urgent assistance to call the member services number on their ID card.

“We take the privacy and security of the data entrusted to us seriously. If during our investigation we determine any individuals’ sensitive information is involved in this incident, we will notify them in accordance with applicable law,” the notice concluded.

Medtronic Notifies InPen App Users of Data Privacy Incident

Medtronic MiniMed and MiniMed Distribution Corp., known collectively as Medtronic Diabetes, notified users of its InPen Diabetes Management iOS and Android mobile applications of a data privacy incident.

On February 13, Medtronic Diabetes discovered that certain tracking technologies present in its apps were disclosing certain details about user actions to Google. Specifically, the data was disclosed when users were logged into their Google accounts at the same time as the InPen App and if they had shared their identity or other online activity with Google.

“In an effort to deliver high quality services to patients, Medtronic Diabetes used the services of Google Analytics and Crashlytics to understand how users interact with the InPen App,” Medtronic Diabetes explained.

“These technologies were designed to gather information so that we can better identify technical issues, assess the performance of the application and understand user needs and preferences to provide needed care to our customers.”

Out of caution, Medtronic Diabetes is notifying all users who have registered for or used the InPen App since September 2020.

“You may have been impacted differently based on your choice of browser; the configuration of your browsers; your blocking, clearing or use of cookies; whether you have Google accounts; whether you were logged into Google; and the specific actions you took on the platform,” the notice stated.

The incident involved user email addresses, IP addresses, usernames and passwords, phone numbers, and unique identifiers tied to InPen accounts. Medtronic Diabetes encouraged users to keep the InPen app updated to its latest version.

“We have removed Google Analytics from the latest version of the InPen App, and are implementing a plan to transition from Crashlytics and Firebase Authentication to new crash reporting and authentication platforms for the InPen App,” the notice added.

“In addition, we are proactively assessing how to further mitigate the risk of unauthorized disclosures of user protected health information in the future, we will continue to monitor our information security and technology solutions, and we will make improvements and enhancements where appropriate.”