Breaking Down the WebTPA Data Breach: Expert Analysis and Perspectives

The recent WebTPA data breach has impacted approximately 2.4 million individuals, with unauthorized access to a network server leading to potential exposure of personal information. The breach, detected on December 28, 2023, is believed to have occurred between April 18 and April 23, 2023. Compromised data may include names, contact information, dates of birth and death, Social Security numbers, and insurance details.  However, financial and health treatment information were reportedly not affected.

WebTPA has since notified affected parties and offered credit monitoring and identity theft protection services while enhancing network security to prevent future incidents. Multiple class action lawsuits have been filed, alleging negligence in data security and delayed breach notification.

Experts share their thoughts on the breach and the impact breaches on the healthcare system continue to have on the public at large.

Kiran Chinnagangannagari, Co-Founder, Chief Product & Technology Officer, Securin

“The sheer number of healthcare data breaches this year is staggering – 283 and counting since January. It’s a stark reminder of the fragility of our healthcare system and the fact that adversaries are deliberately targeting critical infrastructure. Just look at the recent breaches at Change Healthcare, Ascension Hospital Chain, MediSecure, and WebTPA – it’s a veritable who’s who of healthcare organizations falling prey to cyber threats.

And if that’s not alarming enough, consider this: there are nearly 118,500 exposed internet-facing OT/ICS devices worldwide, with the U.S. accounting for a whopping 26% of those devices. It’s a ticking time bomb, waiting to unleash chaos on our already fragile healthcare system. Organizations need to wake up and take responsibility for monitoring and securing their attack surface – it’s no longer a nicety but a necessity.

On a more optimistic note, CISA’s Eric Goldstein testified in a House of Representatives hearing that real-time visibility into vulnerabilities has led to a whopping 79% reduction in the surface of the federal civilian agency attack. That’s a huge win! It just goes to show that binding operative directives can make a real difference in reducing cyber risk. It is crucial that these measures are extended beyond federal civilian agencies to achieve a broader impact.

The WebTPA breach also underscores a disturbing trend: many security breaches originate from third-party partners or suppliers within an organization’s supply chain. It’s a harsh reality, but organizations need to get real about evaluating their partners’ cybersecurity practices. To take it a step further, the SEC should mandate incident and breach reporting in 8-K filings – even when caused indirectly by suppliers. It’s time for some accountability in the cybersecurity space.”

Ilona Cohen, Chief Legal and Policy Officer, HackerOne 

“This latest breach adds to a troubling increase in cyberattacks affecting the healthcare industry.  Healthcare organizations must use every tool available to reduce the chance of a breach, especially when the exploitation of healthcare data places patients’ privacy and safety at risk.

Ethical hacking is an underutilized solution in the healthcare industry that offers significant protection from cyber threats. Still, laws like HIPAA don’t clearly distinguish between good-faith security research and malicious data exploitation.

Collaborating with ethical hackers can help the healthcare sector prevent cyberattacks before they occur, ultimately safeguarding sensitive patient data, medical devices, and health delivery infrastructure.

Lawmakers can aid the healthcare industry by clarifying that discovering vulnerabilities in good faith does not constitute a breach. Otherwise, the healthcare industry loses a significant advantage in identifying vulnerabilities and fixing them before cyberattacks occur.”

Nathan Vega, Vice President, Product Marketing and Strategy, Protegrity  

“Organizations rely on the exchange of data for their vitality. Consumers share sensitive information like emails, addresses, Social Security numbers, and other personal identifiable information (PII) with the belief that these businesses will protect them as customers and the impression that they will abide by data protection and privacy laws to prevent their data from getting into the wrong hands.

The WebTPA data breach is an example of the growing concerns regarding the assumed trust between businesses and their customers. This attack is impacting almost 2.5 million people and has exposed Social Security numbers and insurance information. Having occurred in April of 2023, this data has been floating around for public consumption without customer knowledge for over a year.

This breach illustrates that de-identifying sensitive data is critical to protecting consumer information. Organizations must go beyond layering defenses to protect sensitive data and instead move towards regulator-recommended data protection methods. This includes encryption and tokenization to render data useless to attackers, making it impossible to steal and use data maliciously. When this is done, businesses are lowering the value of stolen data and avoiding the lasting effects of ransom payments or fraudulent activity.”

John Stringer, Head of Product, Next DLP

“Healthcare companies, being a repository of vast volumes of personal and financial data, make them exceptionally enticing prey for threat actors, as made evident with the information targeted in the recent WebTPA breach. This incident should serve as a reminder of the importance of data loss prevention solutions, combined with other security measures, to mitigate the impact of a breach.

While WebTPA has offered identity monitoring services and claimed to be unaware of the misuse of any benefit plan member information, it doesn’t mean the end of the story for the consumers. To them, this loss of PII will likely lead to further phishing and fraud attempts.”

Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!

No posts to display