$13.75M Settlement Agreed to Resolve WebTPA Class Action Data Breach Litigation
WebTPA Employer Services (WebTPA) and the co-defendants in a consolidated class action lawsuit have agreed to a $13,750,000 settlement to resolve claims relating to an April 2024 cyberattack and data breach.
WebTPA is a third-party administrator that provides custom health plans for self-funded employer groups, hospital health plans, and administrative outsourcing services. On April 23, 2023, WebTPA identified suspicious network activity, and the investigation confirmed unauthorized access to its network between April 18, 2023, and April 23, 2023, and potentially exfiltrated sensitive data. The data breach was communicated to its customers on or around March 25, 2024, and individual notification letters were mailed to the affected individuals starting on May 8, 2024, and the HHS’ Office for Civil Rights was informed that the protected health information of 2,518,533 individuals had been exposed and potentially compromised in the incident.
WebTPA was named in 13 putative class action lawsuits over the data breach, along with other defendants. Since the lawsuits had overlapping claims, they were consolidated into a single action – David Harrell v. WebTPA Employer Services, LLC, et al. – in the United States District Court for the Northern District of Texas, Dallas Division. The other defendants were Hartford Life and Accident Insurance Company, Anthem Blue Cross Life and Health Insurance Company, and Elevance Health, Inc.
The consolidated lawsuit alleged the defendants failed to implement reasonable and appropriate cybersecurity measures to protect the sensitive data stored on its network, and asserted claims of negligence, negligence per se, breach of implied contract, breach of third party beneficiary contract, unjust enrichment, and violations of the California Consumer Privacy Act, Illinois Consumer Fraud and Deceptive Practices Act, Missouri Consumer Protection Law statute, New York General Business Law statute, North Carolina Consumer Protection Law statute, Pennsylvania Unfair Trade Practice and Consumer Protection Law statute.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The defendants maintain there was no wrongdoing and disagree with the claims and contentions in the lawsuit; however, they agreed to a settlement to avoid the risks and costs associated with continuing with the litigation. Following a full day of mediation on January 14, 2025, the material terms of a settlement were agreed upon. The terms of the settlement have now been finalized and have received preliminary approval from the court.
Under the terms of the settlement, the defendants will establish a $13,750,000 settlement fund, which will provide benefits to class members that will be paid from the remaining settlement funds after attorneys’ fees and costs have been paid, along with service awards for the named plaintiffs and settlement administration costs.
One of two cash payments may be claimed by class members. A claim may be submitted for a cash payment of up to $5,000 per class member for reimbursement of documented, unreimbursed losses, or alternatively, class members may claim a cash payment, which is expected to be approximately $100, but will be adjusted up or down and paid pro rata depending on the number of valid claims received.
In addition, members of the California subclass, who were California residents between April 18, 2023, and April 23, 2023, are also entitled to claim a California Statutory Payment, estimated to be $50. In addition to a cash payment, class members may also choose to receive a two-year membership to CyEx’s Medical Shield monitoring product, which includes real-time alerts about the potential misuse of their medical information and a $1,000,000 medical identity theft insurance policy, valued at $90 per class member.
