WebTPA breach exposed 2.4 million members to hackers

The breach of WebTPA’s servers appears to be a lot worse than previously thought, but many important details remain unknown.

In a statement earlier this month, the employee benefits company said it first detected suspicious activity on its network in December. An investigation “concluded that the unauthorized actor may have obtained personal information between April 18 and April 23, 2023,” culminating in the breach being reported to the U.S. Department of Health and Human Services (HHS) on May 8, 2024.

Now, the HHS breach portal has been updated to reveal that 2,429,175 individuals had personal data exposed to hackers, including their name, contact information, date of birth, Social Security number, and insurance information. However, WebTPA added that not “every data element was present for every individual.’’

The HHS website now confirms it was a “network server” that was breached, but there are no details on how cybercriminals gained access. Further, specifics on how many Social Security numbers were taken were not revealed, and it’s also not clear what data was moved offsite by hackers. HealthExec has reached out to WebTPA asking for more information and will update this post with any response.

WebTPA said it is “not aware of any misuse of benefit plan member information as a result of this incident,” adding that medical records with specific diagnoses and patient care history were not accessed. The company first notified benefit plans and insurance providers about the breach on March 25, 2024.

According to Bloomberg Law, WebTPA is facing multiple lawsuits over the incident. The company has not said why its investigation took so long, nor has it claimed responsibility for notifying the 2.4 million members impacted by the breach.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Trimed Popup
Trimed Popup