The recent security
incident at GuideWell subsidiary WebTPA, a health benefits
administrator, has affected an estimated 2.4 million individuals, with
unauthorized access to a network server potentially exposing personal
information. The intrusion, identified on December 28, 2023, is suspected to
have occurred between April 18 and April 23, 2023. The information at risk
includes names, contact details, birth and death dates, Social Security
numbers, and insurance information. However, it's important to note that
financial and health treatment data were not compromised.
In response to the breach, WebTPA has informed those impacted
and has provided credit monitoring and identity theft protection services.
Additionally, they have taken steps to fortify their network security to avert
similar occurrences in the future. The situation has led to several class
action lawsuits, citing negligence in safeguarding data and delays in notifying
about the breach.
Industry experts are weighing in on the breach, discussing its
repercussions and its ongoing impact on the public trust in the healthcare
system.
++
Kiran Chinnagangannagari, Co-Founder, Chief Product &
Technology Officer, Securin
"The sheer number of healthcare data breaches this year is
staggering - 283 and counting since January. It's a stark reminder of the
fragility of our healthcare system and the fact that adversaries are
deliberately targeting critical infrastructure. Just look at the recent
breaches at Change Healthcare, Ascension Hospital Chain, MediSecure, and WebTPA
- it's a veritable who's who of healthcare organizations falling prey to cyber
threats.
And if that's not alarming enough, consider this: there are
nearly 118,500 exposed internet-facing OT/ICS devices worldwide, with the U.S.
accounting for a whopping 26% of those devices. It's a ticking time bomb,
waiting to unleash chaos on our already fragile healthcare system.
Organizations need to wake up and take responsibility for monitoring and
securing their attack surface - it's no longer a nicety but a necessity.
On a more optimistic note, CISA's Eric Goldstein testified in a
House of Representatives hearing that real-time visibility into vulnerabilities
has led to a whopping 79% reduction in the surface of the federal civilian
agency attack. That's a huge win! It just goes to show that binding operative
directives can make a real difference in reducing cyber risk. It is crucial
that these measures are extended beyond federal civilian agencies to achieve a
broader impact.
The WebTPA breach also underscores a disturbing trend: many
security breaches originate from third-party partners or suppliers within an
organization's supply chain. It's a harsh reality, but organizations need to
get real about evaluating their partners' cybersecurity practices. To take it a
step further, the SEC should mandate incident and breach reporting in 8-K
filings - even when caused indirectly by suppliers. It's time for some
accountability in the cybersecurity space."
Ilona Cohen, Chief Legal and Policy Officer, HackerOne
"This latest breach adds to a troubling increase in
cyberattacks affecting the healthcare industry.
Healthcare organizations must use every tool available to reduce the
chance of a breach, especially when the exploitation of healthcare data places
patients' privacy and safety at risk.
Ethical hacking is an underutilized solution in the healthcare
industry that offers significant protection from cyber threats. Still, laws
like HIPAA don't clearly distinguish between good-faith security research and
malicious data exploitation.
Collaborating with ethical hackers can help the healthcare
sector prevent cyberattacks before they occur, ultimately safeguarding
sensitive patient data, medical devices, and health delivery infrastructure.
Lawmakers can aid the healthcare industry by clarifying that
discovering vulnerabilities in good faith does not constitute a breach.
Otherwise, the healthcare industry loses a significant advantage in identifying
vulnerabilities and fixing them before cyberattacks occur."
Nathan Vega, Vice President, Product Marketing and
Strategy, Protegrity
"Organizations rely on the exchange of data for their
vitality. Consumers share sensitive information like emails, addresses, Social
Security numbers, and other personal identifiable information (PII) with the
belief that these businesses will protect them as customers and the impression
that they will abide by data protection and privacy laws to prevent their data
from getting into the wrong hands.
The WebTPA data breach is an example of the growing concerns
regarding the assumed trust between businesses and their customers. This attack
is impacting almost 2.5 million people and has exposed Social Security numbers
and insurance information. Having occurred in April of 2023, this data has been
floating around for public consumption without customer knowledge for over a
year.
This breach illustrates that de-identifying sensitive data
is critical to protecting consumer information. Organizations must go beyond
layering defenses to protect sensitive data and instead move towards
regulator-recommended data protection methods. This includes encryption and
tokenization to render data useless to attackers, making it impossible to steal
and use data maliciously. When this is done, businesses are lowering the value
of stolen data and avoiding the lasting effects of ransom payments or fraudulent
activity."
John Stringer, Head of Product, Next DLP
"Healthcare companies, being a repository of vast volumes of
personal and financial data, make them exceptionally enticing prey for threat
actors, as made evident with the information targeted in the recent WebTPA
breach. This incident should serve as a reminder of the importance of data loss
prevention solutions, combined with other security measures, to mitigate the
impact of a breach.
While WebTPA has offered identity monitoring services and
claimed to be unaware of the misuse of any benefit plan member information, it
doesn't mean the end of the story for the consumers. To them, this loss of PII
will likely lead to further phishing and fraud attempts."
##