Earlier this month, the U.S. Department of Health and Human Services disclosed a significant data breach affecting nearly 2.5 million individuals linked to WebTPA Employer Services (WebTPA). This breach has impacted customers of major insurance companies, including The Hartford, Transamerica, and Gerber Life Insurance.
WebTPA, a subsidiary of GuideWell Mutual Holding Corporation, serves as a third-party administrator (TPA), offering customized administrative services to health plans and insurance companies. With a workforce of 18,000 and annual revenues of $103 million, WebTPA's network was compromised last year, but the breach was only discovered in December.
A recent update from the U.S. Department of Health and Human Services data breach portal reports that 2,429,175 individuals have been affected. According to WebTPA's notification, the threat actor accessed personal data for five days, from April 18 to April 23, 2023. The breach was discovered on December 28, 2023, prompting an immediate investigation.
"On December 28, 2023, we detected evidence of suspicious activity on the WebTPA network that prompted us to launch an investigation," reads the announcement. "The investigation concluded that the unauthorized actor may have obtained personal information between April 18 and April 23, 2023."
WebTPA informed benefit plan providers and insurance companies of the data breach on March 25, 2024, and sent notices to affected individuals on May 8, 2024. The exposed data includes full names, contact information, dates of birth (and death where applicable), Social Security Numbers (SSN), and insurance information. Fortunately, financial account information, credit card numbers, and medical treatment and diagnostic information were not accessed.
Among the impacted companies are Dean Health Plan, APA Voluntary Supplemental Medical Plan, The Hartford, Transamerica, and Gerber Life Insurance. In response, WebTPA has offered two years of credit monitoring, identity theft protection, and fraud consultation services through Kroll, available until August 1st. |
While WebTPA claims no known misuse of the exposed data, affected individuals are advised to remain vigilant for potential fraud and phishing attempts. Monitoring credit reports and considering a security freeze on credit files are also recommended to mitigate risks.
Nathan Vega, VP at Protegrity, emphasized the breach's implications. "The WebTPA data breach is an example of the growing concerns regarding the assumed trust between businesses and their customers. This attack is impacting almost 2.5 million people and has exposed Social Security numbers and insurance information. Having occurred in April of 2023, this data has been floating around for public consumption without customer knowledge for over a year."
Vega added, "This breach illustrates that de-identifying sensitive data is critical to protecting consumer information. Organizations must go beyond layering defenses to protect sensitive data and instead move towards regulator-recommended data protection methods. This includes encryption and tokenization to render data useless to attackers, making it impossible to steal and use data maliciously."
John Stringer, Head of Product at Next DLP, also highlighted the significance of robust security measures. "Healthcare companies, being a repository of vast volumes of personal and financial data, make them exceptionally enticing prey for threat actors, as made evident with the information targeted in the recent WebTPA breach. This incident should serve as a reminder of the importance of data loss prevention solutions, combined with other security measures, to mitigate the impact of a breach."
Stringer continued, "While WebTPA has offered identity monitoring services and claimed to be unaware of the misuse of any benefit plan member information, it doesn’t mean the end of the story for the consumers. To them, this loss of PII will likely lead to further phishing and fraud attempts."
As the fallout from the WebTPA breach continues, it's clear that more stringent data protection and security measures are essential to safeguard sensitive information and maintain consumer trust.