Wednesday marked one month since Harvard Pilgrim Health Care was the victim of a ransomware attack, leading the company to take nearly all of its systems offline to contain the damage. The challenges for the insurance company and some of its members persist weeks later. GBH's Craig LeMoult has been speaking with one family that's been affected by the problems and joined GBH's All Things Considered host Arun Rath to share their story. This transcript has been lightly edited for clarity.
Arun Rath: So first, remind us exactly what happened to Harvard Pilgrim one month ago.
Craig LeMoult: As you said, on April 17, there was a ransomware attack against Harvard Pilgrim. In those kinds of attacks, hackers manage to get into a computer system and block access until a ransom is paid. It's not clear if Harvard Pilgrim has paid any ransom; they haven't answered me several times when I've asked that question.
Ransomware attacks against health care companies are increasingly common. A study published last year showed the annual number of ransomware attacks on health care delivery organizations more than doubled between 2016 and 2021, exposing the personal health information of nearly 42 million patients. A federal database shows the number of those kinds of attacks doubled again last year, with [nearly] 410 ransomware attacks reported in 2022.
In taking down their internal system, Harvard Pilgrim lost the ability to confirm patient eligibility for its members. In a statement, Harvard Pilgrim's parent company, Point32Health, said a number of systems are expected to come back online over the next several weeks, and some processes could be phased back in as early as this week.
Rath: And tell us about what happened with this family that you've been speaking with.
LeMoult: In covering the ransomware attack, we reached out online to hear if the system's outage was impacting patients. I should say I spoke with one woman a couple of weeks ago who was worried about getting authorization for surgery for a brain tumor. She did hear from Harvard Pilgrim that she should definitely go ahead and have that surgery.
Then last Friday, I heard from Chris Roberge of Worcester. He told me he tried to pick up some routine prescriptions about three weeks ago and was surprised when the pharmacy told him his health insurance had been terminated. He had health care coverage through the state Health Connector, and his insurer was Harvard Pilgrim.
Chris Robarge [previously recorded]: "And it seems that the issue is that due to this ransomware attack that Harvard Pilgrim had, they are not able to access any of their internal systems. However, I have health insurance, the Harvard Pilgrim says I have health insurance, and the Health Connector says I have health insurance, but I cannot access my health insurance. It is useless to me because I cannot utilize it."
LeMoult: And he didn't understand why. For his wife, Erin Quigley, that's meant she hasn't been able to fill a prescription for a monthly shot of a AJOVY, which is a medication that prevents migraines and regular headaches that she suffers from. It's a monthly shot, and it's too expensive for them to pay out of pocket.
Erin Quigley [previously recorded]: "So, it's been about three weeks that I've been without it now. And I've had, you know, a couple of migraines. And I just sort of have to be very careful about what I'm doing so that I don't do anything else to trigger another migraine. "
LeMoult: Erin told me on Monday she was constantly having headaches and was down to her last two doses of another medication that treats serious migraines if she gets one. And she was worried that if she did get another migraine, that she'd wind up in the ER.
Rath: But Craig, you said they have insurance. Couldn't Harvard Pilgrim just tell the pharmacy that they are covered yet?
LeMoult: They said Harvard Pilgrim actually tried that. They called the pharmacy on their behalf, but it didn't work because the computer system there just said they didn't have coverage, and Harvard Pilgrim didn't have access to their own systems because of the ransomware attacks. So, they basically couldn't correct what was essentially a data error.
But then things took another twist. I reached out to the press office for Harvard Pilgrim's parent company, Point32Health, on Monday, looking to talk to them about this case. The response I got was that Chris and Erin were not active Harvard Pilgrim members. Erin got a call saying that same thing, and that was news to Chris.
Robarge [previously recorded]: "They seemed to have decided that we are not actively insured. And what their reasoning or what the change in the story is from their end is not clear to me. There is no continuity to anything that you hear from them or really from anyone on this."
LeMoult: By this point, Chris and Erin were in touch with the attorney general's office about all of this, and the AG's office told me they were in touch with Harvard Pilgrim about the case. The AG's office said this is one of nine complaints their office has received related to Harvard Pilgrim's ransomware situation.
Rath: So what happened after that?
LeMoult: Well, Chris and Erin's health insurance is provided by Chris's employer through the state Health Connector. All along, the Health Connector's website has been showing that they are covered. I spoke with people from the Connector — and so did Erin and Chris, of course — and they said they were reaching out to Harvard Pilgrim. Then last night, after three weeks of spending hours on the phone every day trying to rectify this, Erin finally got a call from the same woman at Harvard Pilgrim, who [had] told her the day before that they didn't have insurance.
Quigley [previously recorded]: "And she basically explained that they screwed it up, and we have health insurance, and that they had done some manual override things. And our prescription coverage is active now."
LeMoult: Erin says after all the literal and figurative headaches over the last several weeks, she has mixed emotions.
Quigley [previously recorded]: "I am relieved — relieved and confused. You know, just how did it take this long? Why did it take, you know, a reporter getting involved, the attorney general's office? It's just completely unacceptable to me."
Rath: Craig, after all that, do we have any understanding of what caused the problem to begin with?
LeMoult: It turns out that Chris' office changed its health policy and Harvard Pilgrim didn't update its system to reflect a new expiration date. So, the system thought their policy was canceled on April 1. Harvard Pilgrim issued a statement today apologizing to Chris and Erin for the problem accessing their health care and for the stress that all of this caused, and they apologized to GBH for providing incorrect information. Actually, the statement says the company's "current systems outage impacted our ability to fully investigate and remediate the members' access issues."
When I asked Chris and Erin what they learned from all this, Chris's response went far beyond just the current situation with the ransomware attack.
Robarge [previously recorded]: "The lesson that I take away from this is that having 19,000 layers of contractors and subcontractors and for-profit health care is a huge waste of money, and it doesn't work well. It is a system that is, I think, set up to say 'no' instead of say 'yes,' and to deny access rather than provide it."
LeMoult: Both he and Erin say this shows the need for a different system of providing health care nationally. And Chris told me he'll never be as happy to go to the pharmacy as he will be this week.
Rath: Craig, thanks so much for this reporting.
LeMoult: You're welcome.