{shortcode-fbfa5ea2746f0810af4bdc43631ac659778d6f64}
In a class action lawsuit filed last week, the insurance firm Harvard Pilgrim Health Care was accused by one of their clients that the provider and its parent company, Point32Health, failed to secure its customers’ personal information in a massive data breach affecting 2.5 million people.
Attorneys for Valeria Salerno Gonzales, a client of HPHC, say that the health care firm and Point32Health “intentionally, willfully, recklessly, or negligently” failed to ensure that personal health and identification information was secure and that the company did not take the appropriate steps to prevent data breaches.
HPHC is not a part of Harvard University, but was founded by a former Harvard Medical School dean, maintains an HMS affiliation, and covers many Harvard affiliates. In 2000, when Harvard was involved in discussions to bail out the insurance firm after it suffered severe losses, the University “[asserted] rights to the use of its name by Harvard Pilgrim.” Massachusetts sued to continue allowing HPHC to use the Harvard name.
HPHC’s parent company, Point32Health, formed as a result of HPHC’s 2021 merger with Tufts Health Plan. Point32Health is Massachusetts’s second largest insurer, with 2.4 million customers.
HPHC alerted customers last month that “data was copied and taken from our Harvard Pilgrim systems from March 28, 2023, to April 17, 2023,” prompting outcry — and now, a lawsuit. The breach, according to the company, affected a slate of private data, including names, addresses, Social Security numbers, and health information.
“We want to assure you that we are taking this incident extremely seriously, and we deeply regret any inconvenience this incident may cause,” the HPHC statement reads.
In their four-count, 32-page lawsuit, lawyers for Gonzales — who is seeking a trial by jury — allege that HPHC and Point32Health’s “willful failure” to uphold their responsibilities “was wrongful, reckless, and grossly negligent in light of the foreseeable risks and known threats.”
“As a proximate and foreseeable result of Defendants’ grossly negligent conduct, Plaintiff and Class Members have suffered damages and are at imminent risk of additional harms and damages,” the lawsuit reads.
The lawsuit also claims that as a result of HPHC and Point32Health’s breach of contract, their clients “have suffered (and will continue to suffer)” identity theft and other damages, and that HPHC and Point32Health breached an “implied covenant of good faith and fair dealing” and “were unjustly enriched” at the expense of their clients.
In a statement to The Crimson, Point32Health spokesperson Kathleen Makela wrote that “We have made significant progress in bringing our systems back online and processing various business transactions.”
“Over the next few weeks, we expect more core functions and tools to come back online,” she added.
Makela pointed to the distribution of payments for claims processed before the incident, the resumption of information sharing with partners, and the implementation of additional security and detection measures.
Attorneys for Gonzales did not reply to requests for comment.
—Staff writer Rahem D. Hamid can be reached at rahem.hamid@thecrimson.com.
Read more in News
Unabomber Ted Kaczynski Dies at 81