Harvard Pilgrim Health Care to pay $16 million to settle data breach litigation

Harvard Pilgrim Health Care and its parent company, Point32Health, have reached a $16 million settlement to resolve claims arising from a 2023 ransomware attack that compromised the sensitive data of nearly three million individuals. The agreement follows multiple class action lawsuits that were consolidated into a single case in the U.S. District Court for the District of Massachusetts.

The cyberattack, which took place between March 28 and April 17, 2023, resulted in unauthorized access to systems containing the protected health information of 2,967,396 health plan members. Hackers deployed ransomware to encrypt files after exfiltrating a significant volume of data, including names, contact information, dates of birth, medical histories, diagnosis and treatment details, Social Security numbers, and other personally identifiable information. Harvard Pilgrim Health Care began issuing notification letters to affected individuals on a rolling basis starting on May 24, 2023, continuing through June 2024 as additional individuals were identified as victims of the breach.

In response to the breach, multiple lawsuits were filed against Harvard Pilgrim Health Care and Point32Health, alleging negligence in safeguarding sensitive customer data. Plaintiffs argued that the defendants had acted "intentionally, willfully, recklessly, or negligently" in maintaining data security, leading to the exposure of class members to potential identity theft and fraud. The legal claims included allegations of negligence, breach of implied contract, breach of fiduciary duty, and unjust enrichment.

After extensive negotiations, including a full-day mediation session, both parties reached a settlement that aims to provide direct benefits to those affected while avoiding an admission of liability from the defendants. The settlement establishes a $16 million fund to cover approved claims, alternative cash payments, credit monitoring services, administrative costs, class representative service awards, and legal fees.

Under the terms of the agreement, class members may claim up to $2,500 for documented, unreimbursed out-of-pocket expenses linked to the ransomware attack, as well as compensation for up to seven hours of lost time at a rate of $30 per hour. Additionally, individuals who can demonstrate “fairly traceable extraordinary losses” may be eligible for compensation up to $35,000. The settlement also provides all class members with two years of complimentary credit monitoring services. For those who do not submit specific claims, an alternative cash payment of $150 is available.

The process for opting out of or objecting to the settlement will conclude 60 days after the yet-to-be-determined notice deadline. Class members will have 90 days from the notice deadline to submit claims. The final approval hearing will take place no sooner than 90 days after notices are mailed or 14 days after the claims deadline, whichever comes later.