Welltok data breach affects millions

Welltok, a third-party vendor working with health plan providers, suffered a data breach impacting 8,493,379 individuals. 

What happened 

On May 30, 2023, Welltok, Inc. experienced a significant data breach when an unauthorized actor exploited vulnerabilities and accessed their MOVEit Transfer server. This led to the exfiltration of sensitive data. The breach initially went unnoticed until July 26, 2023, when Welltok was alerted to potential vulnerabilities in their server software. Despite having previously installed all necessary patches provided by Progress Software, the developer of the MOVEit Transfer tool, Welltok's initial assessments did not reveal any compromise. On August 11, 2023, Welltok confirmed that the unauthorized access and data extraction had occurred. Following this, they conducted a detailed reconstruction and review of the server data, and by August 26, 2023, Welltok identified that the data related to certain individuals had been compromised during this security incident. 

The backstory

The Welltok data breach, part of a series of cyberattacks attributed to the Clop ransomware group, significantly impacts the healthcare sector. This breach mirrors similar incidents at Oregon Health Plan and UMass Chan Medical School, where millions of patients' sensitive data were compromised. These breaches, resulting from vulnerabilities in the MOVEit Transfer system identified by the Cybersecurity & Infrastructure Security Agency (CISA) in June, highlight a worrying trend of targeted attacks on healthcare data. The involvement of the Clop group, known for exploiting software vulnerabilities and demanding ransoms, underscores the evolving challenge of cybersecurity in protecting highly sensitive health information.

Going deeper

October 24, 2023, Welltok, Inc. announced a data breach affecting certain individuals' personal information privacy. In addition to this direct communication with affected parties, Welltok also fulfilled its regulatory obligations by reporting the incident to the appropriate authorities, including the Attorney General of Maine. The organizations affected by this breach include:

1. Altru
2. Asuris Northwest Health
3. BridgeSpan Health
4. Blue Cross and Blue Shield of Minnesota and Blue Plus
5. Blue Cross and Blue Shield of Alabama
6. Blue Cross and Blue Shield of Kansas
7. Blue Cross and Blue Shield of North Carolina
8. Centerwell Pharmacy
9. CHI Health – NE
10. CHI Memorial – TN
11. CHI Memorial – GA
12. CHI Mercy Health
13. CHI St. Joseph Health
14. CHI St. Luke’s Health Brazosport
15. CHI St. Luke’s Health Memorial
16. CHI St. Vincent
17. Community Health Network
18. Corewell Health
19. Ella EM Brown Charitable Circle dba Oaklawn Hospital
20. Faith Regional Health Services
21. Holzer Health System
22. Horizon Blue Cross Blue Shield of New Jersey
23. Hospital & Medical Foundation of Paris, Inc. dba Horizon Health
24. Humana Inc.
25. Marshfield Clinic Health System
26. Mass General Brigham Health Plan
27. Mercy Med Ctr Des Moines-IA
28. MercyOne Newton Med Ctr-IA (Skiff)
29. Mercy Med Ctr W Lakes Des Moines-IA
30. Mercy Med Ctr Centerville-IA
31. MercyOne IA Heart Des Moines-IA
32. Priority Health
33. Regence BlueCross BlueShield of Oregon
34. Regence BlueShield
35. Regence BlueCross BlueShield of Utah
36. Regence Blue Shield of Idaho
37. St. Alexius Health
38. St Anthony Hospital
39. St. Bernards Healthcare
40. St Joseph Health
41. St. Luke’s Health
42. Sutter Health
43. ThedaCare, Inc.
44. Trane Technologies Company LLC and/or group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc.
45. Trinity Health
46. The group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance
47. The Guthrie Clinic
48. Virginia Mason Franciscan Health
    
    

What was said

Welltok's statement offered: “ We take this event and the security of personal information in our care very seriously. Upon learning of this event, we moved quickly to investigate and respond to the event and notify potentially affected individuals. As part of our ongoing commitment to the security of information, we are reviewing and enhancing our existing policies and procedures related to data privacy to reduce the likelihood of a similar future event.”

The bottom line

The Welltok breach and similar incidents orchestrated by the Clop ransomware group serve as a stark reminder of the urgent need for strengthened cybersecurity measures, particularly in the healthcare sector. These breaches, exposing millions of patients' sensitive data, emphasize the need for vigilance and proactive security strategies in protecting against increasingly sophisticated cyber threats. Healthcare organizations, as well as software developers like those of MOVEit, must prioritize regular security updates, comprehensive vulnerability assessments, and data protection protocols. 

See also: HIPAA Compliant Email: The Definitive Guide