A company that provides administrative services to health benefit plans and insurance companies says it was the victim of a “data security incident” in 2023 that potentially affected more than 2.4 million people.

In an undated notice on its website, Texas-based WebTPA reported that an investigation launched in December 2023 revealed that an “unauthorized actor may have obtained personal information between April 18 and April 23, 2023.”

WebTPA did not provide details of the incident, but said it took the usual step of hiring third-party security experts and notifying law enforcement.

The announcement comes as the global health care industry reckons with a string of data breaches, including the massive disruption to Change Healthcare earlier this year, and a recent ransomware attack on the Ascension hospital chain. This week an Australian company that handles prescriptions, MediSecure, disclosed a ransomware incident. 

WebTPA told the federal Department of Health and Human Services on May 8 that the breach could have affected 2,429,175 people. The exposed information is different depending on the individual, WebTPA said, and it could include “name, contact information, date of birth, date of death, Social Security number, and insurance information.”

In a sample notification letter filed with California regulators, company President Lisa Tranberg said the potential damage appears to be limited. 

“WebTPA is not aware of any misuse of your information as a result of this incident,” Tranberg said. “Your financial information, such as financial account information or credit card numbers, and treatment or diagnostic information were not impacted.”

WebTPA said that it notified benefit plans and insurance companies of the breach on March 25.