Claim Your FREE Cybersecurity Risk Assessment for peace of mind before leaving the office.

Here is what all Insurance Agency CEO’s need to know:

The WebTPA data breach, disclosed this month, has significantly impacted the healthcare and insurance sectors, affecting over 2.4 million individuals.  

WebTPA Employer Services, a subsidiary of GuideWell Mutual Holding Corporation based in Irving, Texas, experienced a major data breach.  

In December 2023, WebTPA detected suspicious activity on its network. The investigation, involving law enforcement and third-party cybersecurity experts, revealed that an unauthorized actor had accessed personal information between April 18 and April 23, 2023, for a total of 5 full days. 

The breach affected 2,429,175 individuals, exposing data such as: 

  • Names 
  • Birthdates 
  • Dates of Death 
  • Social Security Numbers 
  • Contact Information 
  • Insurance Policy Information  

Several large insurance companies that many independent insurance agencies work with were affected by the WebTPA breach, including but not limited to:  

  • The Hartford 
  • Transamerica 
  • Gerber Life Insurance 
  • Dean Health Plan 
  • APA Voluntary Supplemental Medical Plan 

Customers from these firms were among the majority whose personal information was compromised, highlighting the breach’s widespread impact across the industry. 

Notification and Response

Upon detecting the breach on December 28, 2023, WebTPA promptly launched an investigation and notified benefit plans and insurance companies. However, the full extent of the data compromised was only confirmed on March 25, 2024.  

WebTPA has since offered two years of free identity monitoring services through Kroll to the affected individuals and enhanced its network security to prevent future incidents. 

Legal and Regulatory Consequences

WebTPA’s breach has resulted in significant legal and regulatory action, which many regulators believe will only continue to develop: 

  • Class Action Lawsuits:  

Seven proposed class action lawsuits have been filed, alleging that WebTPA failed to implement adequate data security measures as required by HIPAA and delayed breach notifications 

  • Regulatory Notifications:  

It is listed as the third-largest breach of the year on the Department of Health and Human Services Office for Civil Rights’ HIPAA Breach Reporting Tool

Protecting Your Insurance Agency

  • Comprehensive Security Assessments:
      • Conduct regular security assessments to identify and address vulnerabilities in your network 
      • Engage third-party experts for regular penetration testing and security audits 
  • Employee Training: 
      • Train employees on cybersecurity best practices, including recognizing phishing attempts and following secure data handling procedures 
  • Advanced Encryption:
      • Ensure sensitive data is encrypted both at rest and in transit to protect against unauthorized access. 
      • Encrypt all emails and PII data on systems
  • Multi-Factor Authentication (MFA):
      • Implement MFA across all systems to provide an additional layer of security, including but not limited to: 
      • When you log into a computer 
      • When you log into your Agency Management Software 
      • When you access PII data 
      • When you access email 
  • Incident Response Plan: 
      • Develop and maintain an incident response plan to quickly address breaches.  
      • This plan should include steps for containment, eradication, communication, and recovery. 
  • Vendor Management: 
      • Vet third-party vendors thoroughly and ensure they adhere to your security standards 
      • Run regular risk assessments and penetration testing, or request reports of such items done, from your third-party provider to verify protection 
      • Include clear breach notification and response requirements in contracts 
  • Regular Updates and Patching: 
      • Keep all software and systems up to date with the latest security patches to mitigate vulnerabilities 
      • Upgrade out of date devices 

As always, we have continued to warn the Independent Insurance Industry of potential cybersecurity issues and continue to stress the importance of proper cybersecurity implementation for Agency offices.  

It’s no longer the time to take a backseat view on improving your agency’s security. Find out for sure whether or not your Agency is thoroughly protected, or if you’re just being told “you’re good” like WebTPA before a massive breach.  

Claim your FREE Complete IT and Cybersecurity Assessment and gain the in-depth knowledge you need to keep your Agency above water. Your digital security is not just a necessity; it’s a right. Take action today. CLICK HERE to schedule.