WebTPA Data Breach Lawsuit Filed Over 2023 Cyberattack Impacting Current, Former Clients

New to ClassAction.org? Read our Newswire Disclaimer

WebTPA Employer Services faces a proposed class action lawsuit over an April 2023 data breach during which cybercriminals allegedly had “unfettered access” to sensitive personal information belonging to the insurance administrator’s current and former customers. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The 34-page WebTPA data breach lawsuit says the company, which services municipalities and clients in the automotive, health, hospitality and finance industries, “lost control” over the litany of sensitive personal data in its care when the cyberattack began on April 18 of last year. Per the case, the WebTPA data breach lasted until at least April 23, 2023, leaving consumers’ information vulnerable to cybercriminals for an entire week. 

The filing says that, after an internal investigation, WebTPA determined the perpetrators had accessed customers’ names, contact information, dates of birth, dates of death, Social Security numbers and insurance details during the data breach.

At this time, it is unknown exactly how many people were impacted by the WebTPA data breach, the case states. 

“Before this data breach, [WebTPA’s] current and former consumers’ private information was exactly that—private,” the complaint reads. “Not anymore. Now, their private information is forever exposed and unsecure.” 

According to the data breach lawsuit, WebTPA did not detect the unauthorized intrusion on its network until December 28, 2023, eight months after the “suspicious activity” began. 

“In other words,” the proposed class action contends, “Defendant had no effective means to prevent, detect, stop, or mitigate breaches of its systems—thereby allowing cybercriminals unrestricted access to its current and former consumers’ [personally identifiable information].” 

The complaint charges that WebTPA’s data breach notice letter muddied the nature of the breach and the threat it poses to consumers, as the company refused to tell affected individuals how many people were impacted, how the cyberattack happened, or why it took more than a year to begin notifying data breach victims. 

WebTPA’s failure to timely detect and report the data breach left victims vulnerable to identity theft, with no warning to monitor their financial accounts or credit reports, the case mentions.

“In failing to adequately protect Plaintiff’s and the Class’s [personal information], failing to adequately notify them about the breach, and by obfuscating the nature of the breach, Defendant violated state and federal law and harmed an unknown number of its current and former [customers],” the lawsuit alleges. 

According to the case, WebTPA serves more than 2.7 million members with 25,000 benefit plan structures, processing more than 6.4 million claims annually. 

The WebTPA data breach class action lawsuit looks to cover all United States residents whose personally identifiable information was compromised in the data breach discovered by WebTPA Employer Services in December 2023, including all those who received notice of the breach.

Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.