Over two million exposed after breach of US healthcare firm

WebTPA, a third-party health plan administrator, has had its systems penetrated, exposing millions of customers’ personal details, including insurance information.

Attackers roamed the company’s network for several days in April of 2023, WebTPA said in a breach notification letter to affected individuals. However, the company detected the breach only in December of 2023, notifying potential victims in May 2024, which means people whose data was impacted learned about it over a year after the incident.

“The investigation concluded that the unauthorized actor may have obtained personal information between April 18th and April 23rd, 2023. WebTPA promptly informed benefit plans and insurance companies about the incident and the potential exposure of personal information,” the company said.

The incident’s postmortem revealed that attackers may have accessed personal client details such as names, contact details, dates of birth, dates of death, Social Security numbers, and insurance information.

According to information that WebTPA submitted to the US Department of Health and Human Services, north of 2.4 million people were impacted in the attack.

While the company stressed that “not every data element was present for every individual,” exposure of personally identifiable information (PII) poses risks to impacted individuals, from identity theft to targeted phishing attacks.

WebTPA said it will cover two years of identity monitoring services for impacted individuals, adding that the company is unaware of “misuse of benefit plan member information as a result of this incident.”

WebTPA is a subsidiary of GuideWell Mutual Holding Corporation, one of the largest mutual insurance holding companies in the US. The company provides administrative services to health plans and insurance companies. WebTPA employs nearly 18,000 staff and records over $100 million in revenue.