harvard prilgrim class action over data breach

Harvard Pilgrim Class Action Lawsuit Filed Over Data Breach and Cyber Attack

On May 25, 2023, Harvard Pilgrim Health Care, Inc. one of the largest healthcare insurers in the Northeast United States, announced that it began sending out letters advising over 2.5 million individuals of a data breach attack in April 2023 by a third-party hacker.

Consumers have responded by filing class action lawsuits against the company.

According to Harvard Pilgrim’s data breach notice:

“[w]e determined that the files at issue may contain the following types of personal information and/or protected health information: names, physical addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and clinical information (e.g., medical history, diagnoses, treatment, dates of service, and provider names).”

Harvard Pilgrim data breach notice

According to this notice, consumers may have been impacted if they are a current or former member of Harvard Pilgrim (including individual and family plans purchased directly from Harvard Pilgrim, state-based exchanges, or plans selected through their employer) between March 28, 2012, and April 17, 2023 – a period of over 10 years – or if their physician or other provider is currently contracted with Harvard Pilgrim.

Consumers may also have been impacted if they are current or were former members of certain Harvard Pilgrim Health Plans Inc. between June 1, 2020, and April 17, 2023. Such private information could reveal sensitive and personal material, leading to privacy and security breaches.

Harvard Pilgrim Sued in Class Actions

Several class action lawsuits have been filed over this issue in Massachusetts where Harvard Pilgrim Health Care is based, and will likely be consolidated together in the next couple of months.

The class action lawsuits allege claims for negligence, breach of duties to protect confidential information, breach of contract and unjust enrichment.

The class action lawsuits seek an unspecified amount of damages. As these class action lawsuits have just been filed,  Harvard Pilgrim Health Care and its parent company have not yet responded.

According to Harvard Pilgrim, beginning on or about March 28, 2023, a hacker accessed and began to steal files from systems that support the Harvard Pilgrim Health Care Commercial and Medicare Advantage Stride℠ plans (HMO)/(HMO-POS) system.

Harvard Pilgrim admitted this hacker was able to breach data by accessing files within their Health Care’s servers, but did not detect this infiltration for almost three weeks: “Unfortunately, the investigation identified signs that data was copied and taken from our Harvard Pilgrim systems from March 28, 2023, to April 17, 2023.”

Harvard Pilgrim claims that the hacker stole no patient banking information or was aware of any misuse but was not clear about the extent of personal information that is at issue.

Harvard Pilgrim is still investigating this incident and will provide updates if the investigation determines additional individuals may potentially be impacted.

If you obtained services from Harvard Pilgrim between March 28, 2012 and April 17, 2023, your personal information may have been hacked and you may have been the victim of a data breach.

Data Breach Laws Protect You

Many states have data breach protections laws, including Massachusetts, but do not provide a direct right of action for its violation. However, there are other claims that individuals can assert that can provide for compensation.

In addition, California laws specifically protect the personal information of California residents who may have used Harvard Pilgrim’s services in the last 10 years.

  • The California Customer Records Act requires businesses to implement and maintain reasonable security procedures and practices to protect consumers’ personal information.
  • In 2018, California passed the California Consumer Privacy Act (CCPA). This law has many protections for the personal information of California residents.
  • The Confidential Medical Information Act (CMIA) also protects confidential health-related information, depending on the materials accessed. It is unclear at this time whether the information hacked violated that law. The CMIA requires a health care provider, health care service plan, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a way that preserves the confidentiality of the information within those records. The CMIA defines “medical information” to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or has any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or other information that reveals the individual’s identity.

While all consumers who received notice of this breach may be entitled to some money, consumers in California may specifically be entitled to between $100 and $1,000 or your actual damages, whichever is greater, depending on which of these laws are violated.

Participants in data breach class actions can recover damages, injunctive relief (to ensure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else necessary to compensate data breach victims and prevent these harms from occurring again.

Identity theft is on the upswing.

Exercise Your Rights Under the Law

Even when your data has been part of a breach, you may not be awarded compensation without legal assistance. Experienced data breach and class action attorneys can help you exercise your rights, evaluate your options and decide whether you are entitled to compensation.



[1] Source: E. Harrell, Victims of Identity Theft, 2018. US Department of Justice, Office of Justice Programs, Bureau of Justice Statistics, 2021.

[2] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[3] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).