Another breach has occurred at a large business associate that serves healthcare companies. WebTPA is a third-party administrator providing administrative support to health plans, employers, and insurance companies nationwide. The company manages different customer functions, such as processing claims, managing enrollment, handling customer service, and providing reporting and analytics.
WebTPA, of Irving, Texas, is a GuideWell Mutual Holding Corporation subsidiary. It earns over $100 million in revenue annually and has over 18,000 employees.
WebTPA’s extensive network of healthcare customers dictated the size of this breach, which has affected 2,429,175 individuals, according to the U.S. Department of Health and Human Services data breach portal. As a HIPAA business associate WebTPA is required to follow HIPAA.
Cyber Attackers Were Undetected for Eight Months
According to its website Notice, WebTPA detected suspicious activity on its network on December 28, 2023; they engaged third-party cybersecurity experts, notified law enforcement, and began an investigation. The investigation revealed that an unauthorized party had obtained personal information from WebTPA’s systems eight months earlier, between April 18 and April 23, 2023.
WebTPA informed its customer benefit plans and insurance companies about the incident and the potential exposure of personal information. They continued their investigation to confirm the extent of impacted data, which they shared with their customers on March 25, 2024.
The company says the information disclosed varied by individual but may have included name, contact information, date of birth, date of death, Social Security number, and insurance information.
Some of the individuals affected are plan beneficiaries at insurance companies like The Hartford, Transamerica, and Gerber Life Insurance.
A Massive Breach Triggers a Massive Response
Breaches of this size have repercussions beyond today’s headlines. WebTPA faces costly investigations, lawsuits, and damage to its reputation.
According to Bloomberg Law, the company already faces seven proposed class action lawsuits over the breach. The lawsuits allege that WebTPA failed to implement reasonable data security measures as HIPAA requires. The plaintiffs also took issue with the delayed breach notification.
Although the WebTPA breach is small compared to the one at Change Healthcare, which affected 1 in 3 persons in the United States, the situation is similar. Change Healthcare and WebTPA are third-party vendors with hundreds (or thousands) of healthcare customers. When a cyberattack happens at the vendor, all the vendor’s customers are at risk, as are all the individuals who use those providers and health plans.
If the situation unfolds like other significant cyber incidents at big companies, WebTPA will likely be required to upgrade its cybersecurity defense practices if it hasn’t already. It must improve its HIPAA compliance program, starting with an updated HIPAA risk analysis, ensuring its policies are complete and up-to-date, and ensuring its workforce receives current training.
Plan and Prevent Cyber Attacks with HIPAA Compliance
HIPAA is a blueprint for defense against cybercrime. An annual risk analysis helps uncover security gaps and guides you on how to fill those gaps.
The Security Rule Checklist in The HIPAA E-Tool® is derived from the exact standards and implementation specifications of the HIPAA Security Rule; it helps you identify problem areas and bring them to the surface. Once you can see what’s missing, it’s easy to improve.