WebTPA Employer Services has disclosed a data breach impacting the personal information of 2,429,175 individuals. The company, a third-party administrator specializing in health insurance and benefits plans, discovered the breach in late 2023.
What happened
WebTPA, based in Irving, Texas, and a subsidiary of GuideWell Mutual Holding Corporation, detected suspicious activity on its network on December 28, 2023. An investigation uncovered that a threat actor had stolen personal information between April 18 and April 23, 2023. The compromised data includes names, contact details, dates of birth, dates of death, insurance information, and Social Security numbers. Financial, credit card and health information were not affected.
WebTPA promptly informed affected benefit plans and insurance companies, including The Hartford, Transamerica, and Gerber Life Insurance, updated clients on the findings on March 25, 2024, and reported the breach to the HHS’ Office for Civil Rights and state attorneys general on May 8, 2024.
Additionally, at least seven class action lawsuits have been filed against WebTPA, alleging negligence in failing to implement adequate data security measures and delays in notifying affected individuals, violating the Health Insurance Portability and Accountability Act (HIPAA).
What was said
According to their Notice of Data Security Incident, WebTPA “diligently worked to confirm the extent of impacted data, which [they] provided to benefit plans and insurance companies on March 25, 2024.”
Furthermore, the company is offering individuals two years of complimentary identity monitoring services through Kroll and states “We also deployed additional security measures and tools with the guidance of third-party cybersecurity experts to further strengthen the security of our network.”
Why it matters
Third-party administrators, like WebTPA, who manage sensitive health information must continuously enhance their security measures as cyber threats evolve. Additionally, they should provide timely notifications and support for affected individuals, such as identity monitoring services.
The bottom line
WebTPA has responded to the breach by enhancing its network security and offering two years of free identity monitoring services to impacted individuals. As such, third-party administrators should implement effective cybersecurity practices to safeguard personal information and maintain compliance with HIPAA and data protection regulations.
