Administration services provider to medical insurance and benefit plans, WebTPA based in Texas, recently began sending notification letters to 2,429,175 benefit plan members concerning the potential theft of some of their protected health information (PHI) during a hacking incident over a year ago.
WebTPA, a GuideWell Mutual Holding Corporation subsidiary, mentioned in its notification letters that a system attack was discovered on December 28, 2023. The system was promptly secured to stop continuing unauthorized access. The company launched an investigation to find out the nature and scope of the data security breach. Third-party cybersecurity professionals helped WebTPA to confirm that an unauthorized actor possibly acquired the PHI of benefit plan members from April 18 to April 23, 2023.
WebTPA immediately informed the impacted benefit plans and insurance firms concerning the cyberattack and then took action to know the number of people impacted and the types of information involved. The breached data because of the security incident differed from person to person and potentially contained names along with at least one of these data: contact details, date of birth and death, insurance details, and Social Security number. WebTPA stated that no financial data nor medical data were affected by the security incident.
On March 25, 2024, clients were informed concerning the result of the investigation. On May 8, 2024, the breach report was submitted to the HHS’ Office for Civil Rights and state attorneys general. WebTPA stated it does not know of any attempted or actual misuse of benefit plan member data during the distribution of notifications. Nevertheless, the impacted persons were provided free credit monitoring and identity theft protection services for 2 years as a safety precaution. WebTPA stated it got advice from cybersecurity specialists and has applied extra security procedures to reinforce network security and stop the same breaches later. Impacted insurance providers were Transamerica, The Hartford, and Gerber Life Insurance.
WebTPA is facing 7 class action lawsuits as a result of the data breach. The lawsuits assert WebTPA was at fault for not implementing reasonable and proper data security procedures to protect the privacy of the PHI it kept and did not send prompt breach notifications to the impacted persons, which violates state consumer data protection legislation and the Health Insurance Portability and Accountability Act (HIPAA).
This is the fifth data breach report involving 1 million+ healthcare data records in 2024. It is also the third biggest security breach of 2024, for now, following Kaiser Foundation Health Plan’s 13.4 million-record breach, and the business associate of Concentra Health Services’ 3,998,162 data breach. The Change Healthcare data breach in February 2024 is probably much bigger, possibly affecting the PHI of over 110 million Americans; nevertheless, neither Change Healthcare nor UnitedHealth Group, its parent company, has affirmed the number of people impacted.