Paubox News | HIPAA Compliance, Email Security and Healthcare Tech

Welltok data breach affects millions

Written by Kirsten Peremore | January 05, 2024

Welltok, a third-party vendor working with health plan providers, suffered a data breach impacting 8,493,379 individuals. 

 

What happened 

On May 30, 2023, Welltok, Inc. experienced a significant data breach when an unauthorized actor exploited vulnerabilities and accessed their MOVEit Transfer server. This led to the exfiltration of sensitive data. The breach initially went unnoticed until July 26, 2023, when Welltok was alerted to potential vulnerabilities in their server software. Despite having previously installed all necessary patches provided by Progress Software, the developer of the MOVEit Transfer tool, Welltok's initial assessments did not reveal any compromise. On August 11, 2023, Welltok confirmed that the unauthorized access and data extraction had occurred. Following this, they conducted a detailed reconstruction and review of the server data, and by August 26, 2023, Welltok identified that the data related to certain individuals had been compromised during this security incident. 

The backstory

The Welltok data breach, part of a series of cyberattacks attributed to the Clop ransomware group, significantly impacts the healthcare sector. This breach mirrors similar incidents at Oregon Health Plan and UMass Chan Medical School, where millions of patients' sensitive data were compromised. These breaches, resulting from vulnerabilities in the MOVEit Transfer system identified by the Cybersecurity & Infrastructure Security Agency (CISA) in June, highlight a worrying trend of targeted attacks on healthcare data. The involvement of the Clop group, known for exploiting software vulnerabilities and demanding ransoms, underscores the evolving challenge of cybersecurity in protecting highly sensitive health information.

 

Going deeper

October 24, 2023, Welltok, Inc. announced a data breach affecting certain individuals' personal information privacy. In addition to this direct communication with affected parties, Welltok also fulfilled its regulatory obligations by reporting the incident to the appropriate authorities, including the Attorney General of Maine. The organizations affected by this breach include:

  1. Altru
  2. Asuris Northwest Health
  3. BridgeSpan Health
  4. Blue Cross and Blue Shield of Minnesota and Blue Plus
  5. Blue Cross and Blue Shield of Alabama
  6. Blue Cross and Blue Shield of Kansas
  7. Blue Cross and Blue Shield of North Carolina
  8. Centerwell Pharmacy
  9. CHI Health – NE
  10. CHI Memorial – TN
  11. CHI Memorial – GA
  12. CHI Mercy Health
  13. CHI St. Joseph Health
  14. CHI St. Luke’s Health Brazosport
  15. CHI St. Luke’s Health Memorial
  16. CHI St. Vincent
  17. Community Health Network
  18. Corewell Health
  19. Ella EM Brown Charitable Circle dba Oaklawn Hospital
  20. Faith Regional Health Services
  21. Holzer Health System
  22. Horizon Blue Cross Blue Shield of New Jersey
  23. Hospital & Medical Foundation of Paris, Inc. dba Horizon Health
  24. Humana Inc.
  25. Marshfield Clinic Health System
  26. Mass General Brigham Health Plan
  27. Mercy Med Ctr Des Moines-IA
  28. MercyOne Newton Med Ctr-IA (Skiff)
  29. Mercy Med Ctr W Lakes Des Moines-IA
  30. Mercy Med Ctr Centerville-IA
  31. MercyOne IA Heart Des Moines-IA
  32. Priority Health
  33. Regence BlueCross BlueShield of Oregon
  34. Regence BlueShield
  35. Regence BlueCross BlueShield of Utah
  36. Regence Blue Shield of Idaho
  37. St. Alexius Health
  38. St Anthony Hospital
  39. St. Bernards Healthcare
  40. St Joseph Health
  41. St. Luke’s Health
  42. Sutter Health
  43. ThedaCare, Inc.
  44. Trane Technologies Company LLC and/or group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc.
  45. Trinity Health
  46. The group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance
  47. The Guthrie Clinic
  48. Virginia Mason Franciscan Health

What was said

Welltok's statement offered: “ We take this event and the security of personal information in our care very seriously. Upon learning of this event, we moved quickly to investigate and respond to the event and notify potentially affected individuals. As part of our ongoing commitment to the security of information, we are reviewing and enhancing our existing policies and procedures related to data privacy to reduce the likelihood of a similar future event.”

 

The bottom line

The Welltok breach and similar incidents orchestrated by the Clop ransomware group serve as a stark reminder of the urgent need for strengthened cybersecurity measures, particularly in the healthcare sector. These breaches, exposing millions of patients' sensitive data, emphasize the need for vigilance and proactive security strategies in protecting against increasingly sophisticated cyber threats. Healthcare organizations, as well as software developers like those of MOVEit, must prioritize regular security updates, comprehensive vulnerability assessments, and data protection protocols. 

See also: HIPAA Compliant Email: The Definitive Guide