Hackers accessed the personal data of more than a million people by exploiting a security flaw in a file transfer tool used by Welltok, the healthcare platform owned by Virgin Pulse.
Welltok, a Denver-based patient engagement company that works with health plans to provide communications to subscribers about their health care, confirmed in a data breach notification filed last week with the Maine Attorney General that hackers accessed the sensitive data of more than 1.6 million people.
In a letter sent to affected individuals, Welltok said it was alerted to an alleged compromise of its MOVEit Transfer server, a system that allows organizations to move large sets of often sensitive data across the Internet, after system developer released details of software vulnerability earlier this year. Welltok said it initially determined in July that there was no indication of a compromise. A second investigation, launched by the company in August, found that hackers had “exfiltrated some data” from Welltok’s MOVEit Transfer server.
The compromised data includes individuals’ names, dates of birth, addresses and health information, according to the letter.
In a notice published on its website First published in late October, Welltok said the hackers also accessed some patients’ Social Security numbers, Medicare and Medicaid ID numbers, and health insurance information.
TechCrunch discovered that Welltok’s data breach website includes a “noindex” code, which tells search engines to ignore the web page, making it harder for affected customers to find the statement by searching for it. It is unclear why Welltok hid its data breach notification from search engines.
Welltok said the breach affected the group health plans of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners and Packard Children’s Health Alliance, which Welltok said it notified on Oct. 18 .
However, it appears that Welltok’s breach may affect more health care providers – and more people – than indicated in Welltok’s disclosure to the Maine Attorney General.
Corewell Health, a southeast Michigan healthcare provider that uses Welltok for patient communication, said in a statement Press release Last week, the health information of approximately one million patients, as well as approximately 2,500 Priority Health members, was compromised in the Welltok breach.
Sutter Health, a nonprofit health care provider headquartered in Sacramento, confirmed that more than 840,000 of its patients were affected by the Welltok breach.
St. Bernards, an Arkansas-based healthcare provider that uses a patient contact management platform from Welltok, was also affected, the company said in a statement. statement. In a previous filing Along with the Maine Attorney General, Welltok confirmed that the breach affected nearly 90,000 St. Bernard patients.
The breach notifications for Corewell, Sutter and St. Bernards represent approximately 1.9 million patients, far more than the number of affected patients revealed by Welltok.
TechCrunch requested comment from Welltok, but did not receive a response at the time of publication.
According to researchers at cybersecurity company EmsisoftMOVEit mass hacks — said to be biggest hacking incident of the year by sheer number of people affected – have affected more than 2,600 organizations to date, the majority of which are based in the United States.
Emsisoft estimates that more than 77 million people have been affected so far by the cyberattacks, claimed by the notorious Clop ransomware gang. The actual number of people affected is expected to be considerably higher as more organizations come forward.