Question: I went on HMSA’s website to look for information about getting my COVID-19 vaccine paid for, and instead at the top of the page I found a notice marked “IMPORTANT!” about a cyberattack on Navvis, HMSA’s partner. It seems serious, with highly confidential information exposed, yet the only way I heard about it was by going to HMSA’s website on my own, for an unrelated reason. If an HMSA member does not get a notice from Navvis about this, does that mean their record/information was not affected?
Answer: “Yes, that is correct. Navvis mailed a notice directly to impacted individuals only,” Sudhakar Gummadi, HMSA’s chief information security and privacy officer, said Monday in an email.
He declined to say how many HMSA members were affected by the cyberattack, which Navvis & Co. LLC became aware of in late July. “The investigation is still ongoing and Navvis is actively working to understand the total impact and members affected, so it is premature to provide this data as it may be an inaccurate depiction of the scope of the incident,” he said.
The Hawaii Medical Service Association, commonly known as HMSA, is an independent licensee of the Blue Cross and Blue Shield Association and provides health insurance for more than half of Hawaii’s population, according to its website. Navvis supplies a comprehensive health care data management system that HMSA uses to help “support the relationship between our providers and their patients,” Gummadi said.
The notice on HMSA’s website says Navvis became aware of suspicious activity on its computer network on July 25, launched an investigation and determined that it was hacked between July 12 and 25. Unspecified attackers accessed systems that stored personal and protected health information, including people’s names, dates of birth, Medicaid/Medicare ID numbers, health plan information, medical treatment information, medical record numbers, patient account numbers, case identification numbers, provider and doctor information and health record information, and in some circumstances, Social Security numbers. The notice said Navvis would notify individuals whose information was affected, who were urged to take steps to avoid fraud and identity theft related to the hack, although no specific crimes beyond the cyberattack were detected.
Kokua Line asked why affected members weren’t notified sooner, since Navvis became aware of the problem in July.
“HMSA directed Navvis to notify affected members, both individually and via media notification, immediately after those members’ identities were ascertained. While Navvis learned that it was the victim of a cyberattack in late July, it informed HMSA that it had not yet determined whether any HMSA member information was impacted and had engaged a forensic analyst to determine the scope of the attack and the identities of those affected as soon as practicably possible. That process is ongoing and as additional impacted members are identified, they will be immediately notified as well. Protecting our members’ confidential information and privacy is of the utmost importance to us,” Gummadi said in the email.
Navvis is offering free credit monitoring services to affected members for one year, he said. For more information, affected members can call 888-996-4022 between 3 a.m. and 4 p.m. Hawaii time, Monday through Friday, or go to navvishealthcare.com/privacy-update.
As for the reason you visited the HMSA website, the Honolulu Star-Advertiser reported Saturday (808ne.ws/3PxWUlG) that technical issues that delayed insurance coverage of the latest COVID- 19 vaccine for some members have been resolved.
Write to Kokua Line at Honolulu Star-Advertiser, 500 Ala Moana Blvd., Suite 7-500, Honolulu, HI 96813; call 808-529-4773; or email kokualine@staradvertiser.com.
