WebTPA Health Plan Administrator Announces 2.4 Million Record Data Breach
WebTPA Employer Services, a Texas-based provider of administrative services to health plans, has confirmed that hackers had access to systems containing the protected health information of more than 2.4 million health plan members.
WebTPA is a subsidiary of GuideWell Mutual Holding Corporation and its client list includes many large insurance companies. WebTPA provides a range of services to health plans and insurance companies, including claims processing, enrollment management, customer service, reporting, and analytics.
WebTPA identified suspicious activity within its network on December 28, 2023, and prompt action was taken to secure its systems. Third-party cybersecurity specialists were engaged to investigate the activity and confirmed that a threat actor may have obtained plan member data between April 18 and April 23, 2023. The data potentially obtained in the attack included names, contact information, dates of birth, dates of death, Social Security numbers, and health insurance information. WebTPA said financial and health information were not compromised in the incident and no evidence has been found of misuse of the affected data.
WebTPA provided a list of the affected patients and stolen data to the affected benefit plans and insurance companies on March 25, 2024, and started sending individual notifications to the affected individuals in April – A year after the breach occurred. The affected individuals have been offered 2 years of complimentary credit monitoring and identity theft protection services. The HHS’ Office for Civil Rights was notified about the breach on May 8, 2024. The breach report indicates that 2,429,175 individuals were affected. WebTPA said it has implemented additional security measures to prevent similar incidents in the future.
Several individuals have taken legal action against WebTPA over the breach. At least 8 class action lawsuits have already been filed by affected policyholders that allege WebTPA failed to implement reasonable security measures to protect sensitive data and that the company did not issue timely notifications. The lawsuits allege violations of state laws and the Health Insurance Portability and Accountability Act (HIPAA).
