Article Details

WebTPA data breach impacts 2.4 million insurance policyholders. The WebTPA Employer Services (WebTPA) data breach disclosed earlier this month is impacting close to 2.5 million individuals, the U.S. Department of Health and Human Services notes. Some of the impacted people are customers at large insurance companies such as The Hartford, Transamerica, and Gerber Life Insurance. WebTPA is a GuideWell Mutual Holding Corporation subsidiary and a third-party administrator (TPA) that provides customized administrative services to health plans and insurance companies. It employs 18,000 people and generates $103 million in annual revenue. The breach happened last year but it was discovered last December, when the company found evidence of suspicious activity on its network. A recent update on the U.S. Department of Health and Human Services data breach portal shows that the number of affected individuals is 2,429,175. According to the notification on WebTPA's website, the threat actor had access to personal data for five days, between April 18 and April 23, 2023. However, WebTPA discovered the breach only in late December and immediately launched an investigation. “On December 28, 2023, we detected evidence of suspicious activity on the WebTPA network that prompted us to launch an investigation,” reads the announcement. “The investigation concluded that the unauthorized actor may have obtained personal information between April 18 and April 23, 2023,” WebTPA notes. WebTPA informed benefit plan providers and insurance companies of the data breach on March 25, 2024. The company sent notices to affected individuals on May 8, 2024, informing that the following types of data had been exposed: The investigation revealed that financial account information, credit card numbers, medical treatment, and diagnostic information have not been exposed to unauthorized access. Multiple health plan and insurance organizations have published notifications saying that the WebTPA data breach has impacted some of their customers. Among the companies with customers affected by the WebTPA breach are Dean Health Plan, APA Voluntary Supplemental Medical Plan, The Hartford (Critical Illness, Hospital Indemnity, Accident, Medicare Supplement and Tricare products), Transamerica, and Gerber Life Insurance. In the data breach notification, WebTPA has included instructions on how to enroll for two years of credit monitoring, identity theft protection, and fraud consultation services through Kroll, which is possible until August 1st. Although WebTPA says it’s not aware of any cases of misuse of the exposed data, affected individuals should remain vigilant for communications from potential fraudsters and refrain from sharing any personal or financial information in such cases. It is also advisable to review credit reports carefully and consider placing a security freeze on credit files to mitigate fraud risks.