Infosec in brief Nearly a year on from the discovery of a massive data theft at healthcare biz Harvard Pilgrim, and the number of victims has now risen to nearly 2.9 million people in all US states.

Pilgrim’s problems were first admitted last year after a March ransomware infection that affected systems tied to the health services firm’s commercial and Medicare Advantage plans. While the intrusion occurred on March 28, 2023, it wasn’t discovered until April 17. Pilgrim says it believed customer data was extracted in the interim period.

“After detecting the unauthorized party, we proactively took our systems offline to contain the threat,” Harvard Pilgrim said in its latest notification letter sent out this month. “We notified law enforcement and regulators and are working with third-party cybersecurity experts to conduct a thorough investigation into this incident and remediate the situation.”

Names, physical addresses, phone numbers, birth dates, clinical information including lab results, and social security ID numbers were all compromised, Harvard Pilgrim said. 

The latest notification letters mark the fourth time Harvard Pilgrim has updated the total number of victims. An update in February put the total number at 2,632,275 individual records exposed; now it is reporting a total of 2,860,795 people. 

As is usually the case in these sorts of dramas, credit monitoring and identity protection services are being offered, and the business doesn’t believe any of the stolen data has been misused as a result of the theft – that it knows about at least. 

It’s not uncommon for victim numbers to increase during the course of an investigation, though 2.8 million is a lot of people and may not be the final tally yet.

“Our investigation is still underway and we will continue to provide notification in the event we identify additional individuals whose information may have been impacted,” a spokesperson told The Register.