WebTPA is a medical claims administrator for health insurance and benefits plans. On December 28, 2023, the Texas firm discovered that they had experienced a data security incident involving certain systems on their network. Subsequent investigation concluded that an unauthorized actor may have exfiltrated personal information between April 18 and April 23, 2023. WebTPA’s clients were notified of the incident on March 25, 2024.
According to a notice on its site, the information that was impacted may have included name, contact information, date of birth, date of death, Social Security number, and insurance information. Not every data element was present for every individual. Financial information, such as financial account information or credit card numbers, and treatment or diagnostic information were not impacted. They do not explain why the incident was not detected until December when it occurred in April.
The notice provides additional information on mitigation support and other steps the firm has taken in response to the attack.
The incident was reported to HHS on May 8 as affecting 2,429,175 patients. The names of the client firms were not provided as part of WebTPA’s website notice.