Kokua Line: Has hack of HMSA records grown?

Question: I just got a letter from a company I have never heard of saying that my private medical information was hacked because I am a member of HMSA and what to do about it, which involves going to a website and inputting personal information. Is this a scam? I Googled the company (Navvis) and saw that on Oct. 3 Kokua Line wrote about a data breach involving Navvis and HMSA (the hack was in July). But if this letter is real, why am I just getting it now? Why didn’t I get it in October?

Answer: The letter is genuine, notifying you and other current or former HMSA members that a July 12-25 cyberattack against Navvis & Co. LLC exposed your private information held by the company, which provides a comprehensive health care data management system for the Hawaii Medical Service Association. More than half Hawaii’s population has HMSA insurance, according to its website.

Navvis, which detected the cyberattack July 25, is offering affected people free credit monitoring for a year through IDX, and the website you mentioned is one of the places where affected people can sign up; detailed instructions are in the letter.

You are one of numerous readers asking about these letters. Some asked whether the letter was a scam (no), and others expressed outrage that it took so long to be notified that their health records and other personal information was exposed six months ago. Here are emailed responses to some reader questions from Sudhakar Gummadi, HMSA’s chief information security officer:

Q: Is this letter legitimate? Some recipients wondered whether it was a scam letter because it arrived so many months after HMSA first publicized this incident.

A: “We can confirm that Navvis, in consultation with HMSA, has sent and continues to send out letters concerning a privacy incident that occurred in the latter half of last year.”

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

Q: Why are these members being notified now, so many months after the incident was first detected?

A: “This incident involved the information technology systems of Navvis, a vendor partner of HMSA. HMSA learned in December 2023 that the number of affected individuals increased because the ongoing forensic analysis by Navvis and cybersecurity experts identified additional current and former HMSA members who were affected by the cyberattack it experienced in the latter half of 2023. Due to the nature and complexities of the information involved, it took time for Navvis to identify the current and former members whose information may have been compromised by this incident.

“We take this situation very seriously and acted immediately in responding to and supporting the investigation of this incident, and ensured that Navvis notified affected current and former members promptly once they were identified as an affected individual. Navvis and HMSA are committed to notifying our current and former members as quickly as possible so they can take action.”

Q: How many HMSA members have been affected?

A: “The investigation and validation of current and former member information is still ongoing, so we do not yet know the full scope and number of those who were potentially impacted. The forensic analysis is extremely complex, so it takes time for information to be identified during the investigation.”

Q: When were affected people notified?

A: “If any current or former HMSA members were affected by this incident, they were notified immediately and may have received a letter from Navvis after Sept. 23, 2023. After further investigation, Navvis informed HMSA that additional current and former HMSA members were affected, and Navvis would send letters in the mail to notify those who were impacted promptly as those individuals were identified, with mailings taking place over the next several weeks, which started in late December 2023.”

Q: Have all affected members now been notified, or could there be more notifications?

A: “The identification of affected members is still ongoing, so there could be more notifications as potentially impacted individuals are identified.”

Q: Will HMSA continue its partnership with Navvis in light of this?

A: “We will evaluate our partnership but, in the meantime, HMSA will continue supporting Navvis in their ongoing investigation and forensic analysis of this cybersecurity incident. HMSA requires all its vendors and partners to adhere to the same high standards of cybersecurity that it holds itself to. We will continue to evolve with all of our partners and vendors to keep up with the increase in cybercrimes, including putting additional security protocols in place to protect the HMSA network, email environment, systems, and personal information when these become available.”

Q: What information was compromised?

A: “This is a general list of personal information that may have been compromised: member name, birth date, Social Security number, Medicaid/Medicare ID number, HMSA subscriber ID number, health plan and medical treatment information, medical record number, patient account number, case identification number, provider and doctor information, and health record information.”

Read the Oct. 3 Kokua Line column on this topic at 808ne.ws/41ZqmXC.

Write to Kokua Line at Honolulu Star-Advertiser, 500 Ala Moana Blvd., Suite 7-500, Honolulu, HI 96813; call 808-529-4773; or email kokualine@staradvertiser.com.