WebTPA breach exposed 2.4 million members to hackers

The breach of WebTPA’s servers appears to be a lot worse than previously thought, but many important details remain unknown.

In a statement earlier this month, the employee benefits company said it first detected suspicious activity on its network in December. An investigation “concluded that the unauthorized actor may have obtained personal information between April 18 and April 23, 2023,” culminating in the breach being reported to the U.S. Department of Health and Human Services (HHS) on May 8, 2024.

Now, the HHS breach portal has been updated to reveal that 2,429,175 individuals had personal data exposed to hackers, including their name, contact information, date of birth, Social Security number, and insurance information. However, WebTPA added that not “every data element was present for every individual.’’

The HHS website now confirms it was a “network server” that was breached, but there are no details on how cybercriminals gained access. Further, specifics on how many Social Security numbers were taken were not revealed, and it’s also not clear what data was moved offsite by hackers. HealthExec has reached out to WebTPA asking for more information and will update this post with any response.

WebTPA said it is “not aware of any misuse of benefit plan member information as a result of this incident,” adding that medical records with specific diagnoses and patient care history were not accessed. The company first notified benefit plans and insurance providers about the breach on March 25, 2024.

According to Bloomberg Law, WebTPA is facing multiple lawsuits over the incident. The company has not said why its investigation took so long, nor has it claimed responsibility for notifying the 2.4 million members impacted by the breach.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met. 

When regulating AI-equipped medical devices, the FDA might take a page from the Department of Transportation’s playbook for overseeing AI-equipped vehicles. These run the gamut from assisting human drivers to fully taking the wheel. 

Kit Crancer, RBMA board member, speaks with Radiology Business about key legislative developments on the Hill that will affect the specialty.