Virtualization Technology News and Information
Industry Specialists Unveil the Impact of the WebTPA Data Breach

The recent security incident at GuideWell subsidiary WebTPA, a health benefits administrator, has affected an estimated 2.4 million individuals, with unauthorized access to a network server potentially exposing personal information. The intrusion, identified on December 28, 2023, is suspected to have occurred between April 18 and April 23, 2023. The information at risk includes names, contact details, birth and death dates, Social Security numbers, and insurance information. However, it's important to note that financial and health treatment data were not compromised.

In response to the breach, WebTPA has informed those impacted and has provided credit monitoring and identity theft protection services. Additionally, they have taken steps to fortify their network security to avert similar occurrences in the future. The situation has led to several class action lawsuits, citing negligence in safeguarding data and delays in notifying about the breach.

Industry experts are weighing in on the breach, discussing its repercussions and its ongoing impact on the public trust in the healthcare system.


Kiran Chinnagangannagari, Co-Founder, Chief Product & Technology Officer, Securin

"The sheer number of healthcare data breaches this year is staggering - 283 and counting since January. It's a stark reminder of the fragility of our healthcare system and the fact that adversaries are deliberately targeting critical infrastructure. Just look at the recent breaches at Change Healthcare, Ascension Hospital Chain, MediSecure, and WebTPA - it's a veritable who's who of healthcare organizations falling prey to cyber threats.

And if that's not alarming enough, consider this: there are nearly 118,500 exposed internet-facing OT/ICS devices worldwide, with the U.S. accounting for a whopping 26% of those devices. It's a ticking time bomb, waiting to unleash chaos on our already fragile healthcare system. Organizations need to wake up and take responsibility for monitoring and securing their attack surface - it's no longer a nicety but a necessity.

On a more optimistic note, CISA's Eric Goldstein testified in a House of Representatives hearing that real-time visibility into vulnerabilities has led to a whopping 79% reduction in the surface of the federal civilian agency attack. That's a huge win! It just goes to show that binding operative directives can make a real difference in reducing cyber risk. It is crucial that these measures are extended beyond federal civilian agencies to achieve a broader impact.

The WebTPA breach also underscores a disturbing trend: many security breaches originate from third-party partners or suppliers within an organization's supply chain. It's a harsh reality, but organizations need to get real about evaluating their partners' cybersecurity practices. To take it a step further, the SEC should mandate incident and breach reporting in 8-K filings - even when caused indirectly by suppliers. It's time for some accountability in the cybersecurity space."

Ilona Cohen, Chief Legal and Policy Officer, HackerOne

"This latest breach adds to a troubling increase in cyberattacks affecting the healthcare industry.  Healthcare organizations must use every tool available to reduce the chance of a breach, especially when the exploitation of healthcare data places patients' privacy and safety at risk.

Ethical hacking is an underutilized solution in the healthcare industry that offers significant protection from cyber threats. Still, laws like HIPAA don't clearly distinguish between good-faith security research and malicious data exploitation.

Collaborating with ethical hackers can help the healthcare sector prevent cyberattacks before they occur, ultimately safeguarding sensitive patient data, medical devices, and health delivery infrastructure.

Lawmakers can aid the healthcare industry by clarifying that discovering vulnerabilities in good faith does not constitute a breach. Otherwise, the healthcare industry loses a significant advantage in identifying vulnerabilities and fixing them before cyberattacks occur."

Nathan Vega, Vice President, Product Marketing and Strategy, Protegrity

"Organizations rely on the exchange of data for their vitality. Consumers share sensitive information like emails, addresses, Social Security numbers, and other personal identifiable information (PII) with the belief that these businesses will protect them as customers and the impression that they will abide by data protection and privacy laws to prevent their data from getting into the wrong hands.

The WebTPA data breach is an example of the growing concerns regarding the assumed trust between businesses and their customers. This attack is impacting almost 2.5 million people and has exposed Social Security numbers and insurance information. Having occurred in April of 2023, this data has been floating around for public consumption without customer knowledge for over a year.

This breach illustrates that de-identifying sensitive data is critical to protecting consumer information. Organizations must go beyond layering defenses to protect sensitive data and instead move towards regulator-recommended data protection methods. This includes encryption and tokenization to render data useless to attackers, making it impossible to steal and use data maliciously. When this is done, businesses are lowering the value of stolen data and avoiding the lasting effects of ransom payments or fraudulent activity."

John Stringer, Head of Product, Next DLP

"Healthcare companies, being a repository of vast volumes of personal and financial data, make them exceptionally enticing prey for threat actors, as made evident with the information targeted in the recent WebTPA breach. This incident should serve as a reminder of the importance of data loss prevention solutions, combined with other security measures, to mitigate the impact of a breach.

While WebTPA has offered identity monitoring services and claimed to be unaware of the misuse of any benefit plan member information, it doesn't mean the end of the story for the consumers. To them, this loss of PII will likely lead to further phishing and fraud attempts."


Published Tuesday, May 21, 2024 1:41 PM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2024>