The recent breach of GuideWell’s subsidiary, WebTPA, a health benefits administrator, has compromised the personal information of approximately 2.4 million individuals.
Unauthorized access to a network server was detected, potentially exposing sensitive data. The breach, discovered on December 28, 2023, is believed to have occurred between April 18 and April 23, 2023. The exposed data includes names, contact details, birth and death dates, Social Security numbers, and insurance information, although financial and health treatment data remained secure.
Following the incident, WebTPA contacted the affected individuals and offered credit monitoring and identity theft protection services. They have also reinforced their network security measures to prevent future breaches. The breach has resulted in multiple class action lawsuits, accusing the company of data security negligence and delayed breach notification.
Experts in the industry are currently analyzing the breach, its consequences, and the broader implications for public trust in the healthcare system.
Nathan Vega, Vice President, Product Marketing and Strategy, Protegrity
“Organizations rely on the exchange of data for their vitality. Consumers share sensitive information like emails, addresses, Social Security numbers, and other personal identifiable information (PII) with the belief that these businesses will protect them as customers and the impression that they will abide by data protection and privacy laws to prevent their data from getting into the wrong hands.
“The WebTPA data breach is an example of the growing concerns regarding the assumed trust between businesses and their customers. This attack is impacting almost 2.5 million people and has exposed Social Security numbers and insurance information. Having occurred in April of 2023, this data has been floating around for public consumption without customer knowledge for over a year.
“This breach illustrates that de-identifying sensitive data is critical to protecting consumer information. Organizations must go beyond layering defenses to protect sensitive data and instead move towards regulator-recommended data protection methods. This includes encryption and tokenization to render data useless to attackers, making it impossible to steal and use data maliciously. When this is done, businesses are lowering the value of stolen data and avoiding the lasting effects of ransom payments or fraudulent activity.”
Kiran Chinnagangannagari, Co-Founder, Chief Product & Technology Officer, Securin
“The sheer number of healthcare data breaches this year is staggering – 283 and counting since January. It’s a stark reminder of the fragility of our healthcare system and the fact that adversaries are deliberately targeting critical infrastructure. Just look at the recent breaches at Change Healthcare, Ascension Hospital Chain, MediSecure, and WebTPA – it’s a veritable who’s who of healthcare organizations falling prey to cyber threats.
“And if that’s not alarming enough, consider this: there are nearly 118,500 exposed internet-facing OT/ICS devices worldwide, with the U.S. accounting for a whopping 26% of those devices. It’s a ticking time bomb, waiting to unleash chaos on our already fragile healthcare system. Organizations need to wake up and take responsibility for monitoring and securing their attack surface – it’s no longer a nicety but a necessity.
“On a more optimistic note, CISA’s Eric Goldstein testified in a House of Representatives hearing that real-time visibility into vulnerabilities has led to a whopping 79% reduction in the surface of the federal civilian agency attack. That’s a huge win! It just goes to show that binding operative directives can make a real difference in reducing cyber risk. It is crucial that these measures are extended beyond federal civilian agencies to achieve a broader impact.
“The WebTPA breach also underscores a disturbing trend: many security breaches originate from third-party partners or suppliers within an organization’s supply chain. It’s a harsh reality, but organizations need to get real about evaluating their partners’ cybersecurity practices. To take it a step further, the SEC should mandate incident and breach reporting in 8-K filings – even when caused indirectly by suppliers. It’s time for some accountability in the cybersecurity space.”
Ilona Cohen, Chief Legal and Policy Officer, HackerOne
“This latest breach adds to a troubling increase in cyberattacks affecting the healthcare industry. Healthcare organizations must use every tool available to reduce the chance of a breach, especially when the exploitation of healthcare data places patients’ privacy and safety at risk.
“Ethical hacking is an underutilized solution in the healthcare industry that offers significant protection from cyber threats. Still, laws like HIPAA don’t clearly distinguish between good-faith security research and malicious data exploitation.
“Collaborating with ethical hackers can help the healthcare sector prevent cyberattacks before they occur, ultimately safeguarding sensitive patient data, medical devices, and health delivery infrastructure.
“Lawmakers can aid the healthcare industry by clarifying that discovering vulnerabilities in good faith does not constitute a breach. Otherwise, the healthcare industry loses a significant advantage in identifying vulnerabilities and fixing them before cyberattacks occur.”
John Stringer, Head of Product, Next DLP
“Healthcare companies, being a repository of vast volumes of personal and financial data, make them exceptionally enticing prey for threat actors, as made evident with the information targeted in the recent WebTPA breach. This incident should serve as a reminder of the importance of data loss prevention solutions, combined with other security measures, to mitigate the impact of a breach.
“While WebTPA has offered identity monitoring services and claimed to be unaware of the misuse of any benefit plan member information, it doesn’t mean the end of the story for the consumers. To them, this loss of PII will likely lead to further phishing and fraud attempts.”
