WebTPA is a Texas-based third-party administrator that works in claims adjudication for Prudential-sponsored medical programs. WebTPA works under the Aetna Signature Administrators network. The company describes itself as “one stop for everything medical,” helping patients navigate the healthcare system, benefits, finding a provider, and making medical decisions.
The organization has a wide influence; the company works with many providers, hospitals, and insurance companies across the United States.
Unfortunately, WebTPA recently disclosed that it faced a large data breach. The breach was discovered on December 28th, 2023, and is estimated to have impacted more than 2.4 million individuals.
How It Started
In an online notice, WebTPA disclosed they had detected evidence of suspicious activity on their network on December 28th, 2023. After the discovery, WebTPA quickly launched an investigation with support from a third-party cybersecurity firm. WebTPA also took steps to mitigate the threat and secure the network.
The investigation found that an unauthorized actor may have obtained personal information between April 18th and April 23rd, 2023.
While WebTPA has not revealed details regarding the investigation, one expert, Toby Gouker, chief security officer of First Health Advisory, said he believed the attack began with reconnaissance activities before April 18th. The malicious actor likely lurked until finding a vulnerable access point to compromise.
As in many cases, Gouker believed the actors likely moved laterally to continue escalating privileges and accessing data. Once the data had been stolen, it’s possible the actor covered their tracks through encryption or other obfuscation methods.
Once the investigation was completed, WebTPA notified the benefit plans and insurance companies they partner with. After initial notice, WebTPA stated they continued to investigate to determine the extent of impacted data. They provided confirmation of this information to benefit plans and insurance companies on March 25th, 2024.
Impacted information may have included names, contact information, dates of birth and death, Social Security numbers, and insurance information.
The company began sending out letters to impacted individuals in April.
Facing the Consequences
To help impacted individuals, WebTPA is offering two years of complimentary identity monitoring services. The company has also said they are deploying additional security measures and tools with guidance from cybersecurity experts.
Unfortunately for WebTPA, it’s likely that they will face further consequences. According to the HHS website, the company is under investigation and could potentially face penalties if it is found that it violated privacy laws or could have prevented the attack.
Several law firms are also launching investigations that have the potential to become class action lawsuits. In the last year, class action suits related to data breaches have skyrocketed, showing that the public is increasingly cognizant of negligence and the misuse of data.
For impacted individuals, data breaches are potentially more hazardous than ever. With increasing breaches, many are finding themselves the victim of multiple leaks, which can allow malicious actors to aggregate the stolen data. Once collected, criminals may have a significant amount of personal information that can be used to open new accounts, answer security questions, and more. Ultimately, no breach is ever truly harmless.
A Growing Trend
In 2024, we’ve noticed a growing trend of third-party breaches. Third parties are considered any vendor or company that does not generally work with patients directly, but works with hospitals and thus, has access to protected health information
According to a spring report from SecurityScorecard, 29% of breaches have third-party attack vectors. While other industries also face third-party attacks, the financial and healthcare industries are considered the most vulnerable.
75% of external relationships that enabled a third-party breach involved software or another technology product or service.
The report noted that healthcare can be a particularly challenging industry to mitigate these risks, as healthcare organizations tend to work with a number of third parties–from insurers to administrators to software companies, employers, and more. Although these companies store identifying and protected health information, they don’t always keep the same high-security standards.
While third parties can increase vulnerability, they are a necessary component for a smoothly operating healthcare system. It is, however, essential that third parties and healthcare organizations alike pay close attention to their cybersecurity practices.
What the Experts Said
Some experts have questioned the time it took for WebTPA to investigate and provide notice of the breach. Notifications to impacted individuals began approximately 5 months after WebTPA first discovered the breach, and nearly a full year after the breach had occurred.
John Gunn, Chief Executive Officer at Token said that WebTPA’s timeline has been somewhat typical, but that only points to a larger problem within the industry; many organizations currently have inadequate cybersecurity measures and protocols.
As cybercrime increases, Gunn also believes more litigation will follow. “This may sound bad, but it will soon emerge as the No. 1 motivator for organizations to do a better job of protecting data,” he said.
Toby Gouker of First Health Advisory commented on the time the malicious actor spent lurking. He explained that it’s fairly common for actors to spend long periods of time in a system, “If a malicious actor does a good job of obfuscation, they can remain in a system for a year or more, either waiting to launch an initial exploit when the time is right or to conduct a repeat exploitation of a valuable asset.”
How Cloudticity Can Help
Data shows data breaches have spiked in 2023, and 2024 is unlikely to be different. Both healthcare organizations and the third parties they partner with continue to be targeted.
Attacks themselves can be devastating–leading to significant amounts of downtime that can directly impact patients. From the massive Change attack to Ascension, and now WebTPA, we can see just how devastating breaches can be on companies and people.
With increasing costs–breaches now cost a whomping average of $11 million per event, mounting lawsuits, and the likelihood of downed operations, it’s more important than ever for healthcare organizations to prioritize security.
These harmful attacks can be prevented, but it takes the right security system and strategy. Cloudticity has managed HIPAA workloads in the cloud for over 12 years, and we’ve never had a breach due to our defense-in-depth security practices, best-in-class tools, and top-notch security talent.
Learn more about how Cloudticity’s Managed Security for Healthcare can help you address critical cybersecurity challenges. Reach out today for a free consultation.