Harvard Pilgrim Health Care (HPHC) has revealed that a ransomware attack it suffered in April 2023 affected 2,550,922 people, with threat actors also stealing their sensitive data from compromised systems.

The Massachusetts-based nonprofit health service provider shared this information — which matches nearly all of its members — with the US Department of Health and Human Services. breach portal.

Last week, the organization issued a notice advising that ransomware actors maintained access to its systems between March 28 and April 17, 2023, when the flaw was discovered.

A subsequent investigation conducted with the help of third-party cybersecurity experts revealed that the cybercriminals had exfiltrated sensitive data from HPHC’s network.

“Unfortunately, the investigation has identified signs that data was copied and extracted from our Harvard Pilgrim systems from March 28, 2023 to April 17, 2023,” read the note.

“We are continuing our active investigation and performing thorough reviews and analysis of the system before we can resume normal business operations.”

As a result of the attack, coverage for the Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride systems is affected.

Stolen files include the following types of sensitive information:

• Full names
• Physical addresses
• Phone numbers
• Date of birth
• Health insurance account information
• Social security numbers
• Vendor Tax Identification Numbers
• Clinical information, including medical history, diagnoses, treatment, dates of service, and names of providers

The organization said the incident impacts current and former members of Harvard Pilgrim, whose enrollment date begins March 28, 2012.

The above information is very sensitive and could expose data subjects to phishing or social engineering attacks. HPHC declares that it has not detected any cases of misuse of stolen data.

HPHC also provides credit monitoring and identity theft protection services to protect those affected by this security incident.

It is important to note that ransomware gangs often exploit stolen data to pressure victims into complying with ransom demands. If victims refuse to pay, attackers can also sell the data to other cybercriminals or make it public.

No ransomware group has claimed responsibility for the attack on HPHC, according to information available to date.

For current or former members of HPHC, it is strongly advised to exercise caution when receiving unsolicited messages and to remain vigilant for an extended period of time.