WebTPA Data Breach Affects 2.4 Million Health Insurance Policyholders
WebTPA, a Texas-based provider of administration services to health insurance and benefit plans has recently started notifying 2,429,175 benefit plan members that some of their protected health information (PHI) may have been stolen in a hacking incident more than a year ago.
WebTPA, a subsidiary of GuideWell Mutual Holding Corporation, explained in its notification letters that a network intrusion was detected on December 28, 2023. The network was immediately secured to prevent further unauthorized access and an investigation was launched to determine the nature and extent of the security breach. Assisted by third-party cybersecurity experts, WebTPA determined that an unauthorized actor potentially obtained benefit plan members’ PHI between April 18 and April 23, 2023.
WebTPA promptly notified the affected benefit plans and insurance companies about the intrusion and then worked to determine the number of individuals affected and the types of data involved. The information compromised in the security incident varied from individual to individual and may have included names in combination with one or more of the following: contact information, birthdate, date of death, Social Security number, and insurance information. WebTPA said financial information and health information were not compromised in the incident.
Clients were notified about the findings of the investigation on March 25, 2024, and the breach was reported to the HHS’ Office for Civil Rights and state attorneys general on May 8, 2024. WebTPA said it is unaware of any actual or attempted misuse of benefit plan member information at the time of issuing notifications; however, the affected individuals have been offered 2 years of complimentary credit monitoring and identity theft protection services as a precaution. WebTPA said it sought advice from cybersecurity experts and has implemented additional security measures to strengthen network security and prevent similar breaches in the future. Affected insurance companies include The Hartford, Transamerica, and Gerber Life Insurance.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
At least 7 class action lawsuits have already been filed against WebTPA over the data breach. The lawsuits allege WebTPA was negligent by failing to implement reasonable and appropriate data security measures to ensure the confidentiality of the protected health information it stored and did not issue timely notifications to the affected individuals, in violation of state consumer data protection laws and the Health Insurance Portability and Accountability Act (HIPAA).
This is the fifth data breach of 1 million+ healthcare records to be confirmed so far in 2024 and the third largest data breach of the year to date, behind the 13.4 million-record breach at Kaiser Foundation Health Plan, and the 3,998,162-record data breach at a business associate of Concentra Health Services. The data breach at Change Healthcare in February 2024 is likely to be far bigger, potentially involving the PHI of more than 110 million Americans; however, neither Change Healthcare nor its parent company, UnitedHealth Group, have confirmed the number of individuals affected.
