Lawsuit accuses Harvard Pilgrim of 'negligently failing' to protect members' data following breach

Harvard Pilgrim Health Care and its parent company, Point32Health, have been hit with a class-action lawsuit for allegedly failing to secure the personal information of over 2.5 million people.

Valeria Salerno Gonzales, a Harvard Pilgrim client, accused the insurer of “intentionally, willfully, recklessly, or negligently failing to take and implement adequate and reasonable measures” to protect personal health information, according to the lawsuit, which was filed in the U.S. District Court for the District of Massachusetts.

In a press release last month, the payer said “data was copied and taken from Harvard Pilgrim systems between March 28, 2023, and April 17, 2023. Harvard Pilgrim is taking this incident extremely seriously and deeply regrets any inconvenience this incident may cause.”

Harvard Pilgrim offered free identity protection and two years of credit monitoring services for those whose data may have been stolen. “In response to this incident, Harvard Pilgrim is taking steps to implement additional data security enhancements and safeguards to better protect against similar events in the future," the insurer said.

The information stolen included names, home addresses, phone numbers and Social Security numbers as well as medical information “which may include test results, procedure descriptions, diagnoses, personal or family medical histories and data points applied to a set of demographic information for a particular patient,” the lawsuit said.

"We have made significant progress in bringing our systems back online and processing various business transactions," Point32Health spokesperson Kathleen Makela said in a statement to The Harvard Crimson. "Over the next few weeks, we expect more core functions and tools to come back online.”

Point32Health was created in 2021 by the merger of Harvard Pilgrim and Tufts Health Plan and, with about 2.4 million members, ranks as the second largest health plan in Massachusetts behind only Blue Cross Blue Shield of Massachusetts.

At the time, the companies predicted that their merger would increase access for members and allow for greater innovation and improved member experiences. Point32Health also said that it expected to save more than $100 million over time that it would use to reduce premiums and out-of-pocket costs for members.  

Gonzales alleges that both her personal health information and her personally identifiable information were stolen as a result of the data breach. The lawsuit said that Gonzales “suffered actual injury in the form of damages to and diminution in the value of their PHI/PII—a condition of intangible property that they entrusted to defendants, which was compromised in and as a result of the data breach.”

Gonzales said in the lawsuit that she had to spend time finding theft insurance options and monitoring her bank accounts. In addition, there was “time spent seeking legal counsel regarding their options for remedying and/or mitigating the effects of the data breach.”