Healthcare company WebTPA discloses breach affecting 2.5 million people

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen.

WebTPA said in a data breach notice published earlier this month that the company detected “evidence of suspicious activity” on December 28, 2023, which prompted the company to launch an investigation “to mitigate the threat and further secure our network.”

The investigation, the company said, “concluded that the unauthorized actor may have obtained personal information between April 18 and April 23, 2023,” approximately eight months before the company detected the breach.

“The information that was impacted may have included name, contact information, date of birth, date of death, Social Security number, and insurance information. Not every data element was present for every individual,” the company wrote in the notice posted on its website.

WebTPA reported the breach to the U.S. Department of Health and Human Services earlier this month on May 8, according to the federal department’s website. In this report, WebTPA disclosed that the breach affected 2,429,175 individuals and that the breach occurred on a “network server.”

TechCrunch asked the company to clarify exactly how many people had their Social Security numbers stolen, among other questions. WebTPA did not respond to multiple requests for comment.

WebTPA also said that it is not aware of “any misuse of benefit plan member information,” and that financial account information, credit card numbers as well as “treatment or diagnostic information” were not impacted in the breach.

Contact Us

Do you know more about this WebTPA breach? Or similar data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.