WebTPA Employer Services, the Texas-based provider of administrative services to health insurance and benefits plans, reported to the Department of Health and Human Services on May 8 that more than 2.4 million plan members had their personal information stolen.
Click for more special coverage
In an undated notice posted on its website, WebTPA said the information that was impacted included names, contact information, dates of birth, dates of death, Social Security numbers, and insurance information. The company added that not every data element was present for every individual and that no financial or health data were impacted.
WebTPA said the provider first learned of the incident on Dec. 28 when they detected evidence of suspicious activity on the WebTPA network. At that point, WebTPA launched an investigation with the support of industry-leading third-party cybersecurity experts and also notified federal law enforcement.
The investigation concluded that the threat actor may have obtained personal information between April 18 and April 23, 2023. WebTPA said once it learned of the breach last December it then informed benefit plans and insurance companies about the incident and the potential exposure of personal information. The company finally provided the stolen data information to benefit plans and insurance companies on March 25, 2024, and in April started sending out letters to affected consumers across the country.
While the time to discover the breach and the dwell time here are pretty dismal, they are within the normal ranges where "normal" includes countless companies with inadequate cybersecurity measures, said John Gunn, chief executive officer at Token.
“When you add up the number of SSNs that have been stolen by cybercriminals over the years, including the mega-breaches at Equifax and Anthem BCBS, it’s in the hundreds of millions, so the cybercriminals picked up a large number of SSNs that are already available on the dark web,” said Gunn. “Now, they can start selling them against others who are selling the same SSNs.”
Gunn added that companies can expect to see a large number of class action lawsuits against healthcare providers that do not adequately protect personal data. There’s already a huge upswing in breach-related litigation and much more will follow, said Gunn.
“This may sound bad, but it will soon emerge as the No. 1 motivator for organizations to do a better job of protecting data,” said Gunn.
Toby Gouker, chief security officer, First Health Advisory, added that the WebTPA incident feels like a textbook example of how malicious actors are traversing the kill chain today. Gouker said the attack likely began with some reconnaissance activities before April 18, 2023, until a vulnerable access point was compromised. Once inside, Gouker said the bad actors probably moved laterally and escalated privileges before covering their exit tracks with obfuscation techniques.
Gouker said from the type of personally identifiable information obtained, it’s fair to conclude that the actors were gathering information for identity theft activity, conducted either by themselves or to be sold to another dark web agent. The detection of suspicious activity on Dec. 28 makes it appear like the malicious actors were returning to the scene of their previous crime to try and extract more information, explained Gouker.
“It’s not uncommon for a malicious actor to be in a system for eight months like this,” said Gouker. “If a malicious actor does a good job of obfuscation, they can remain in a system for a year or more, either waiting to launch an initial exploit when the time is right or to conduct a repeat exploitation of a valuable asset.”
Narayana Pappu, chief executive officer at Zendata, added that stealing social security numbers can be very serious.
“Assuming the attackers have a complete Social Security number — meaning all nine digits vs. the last four numbers — hackers can combine Social Security numbers with dates-of-birth to apply for new credit cards, open bank accounts, or perform elaborate schemes, such as SIM swapping,” said Pappu.