The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Welltok Data Breach: 8,493,379 Individuals Affected

Posted By on Nov 21, 2023

The Denver-based patient engagement company, Welltok, has recently confirmed that it was one of the victims of the Clop hacking group, which exploited a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer file transfer tool in May 2023. It was initially unclear how many people had been affected by the Welltok data breach, but the HHS’ Office for Civil Rights breach total has been updated and lists the breach as affecting 8,493,379 individuals. The Welltok data breach is the fourth-largest healthcare data breach of 2023 behind the 11,270,000 record breach at HCA Healthcare, the 8,952,212 record breach at PJ&A, and the 8,923,662 record breach at MCNA Dental.

Welltok, which is owned by Virgin Pulse, works with health plan providers and manages communications with their subscribers through its platform. The company also operates a voluntary online wellness program for health plan subscribers that encourages healthy lifestyle changes. Welltok used the MOVEit Transfer tool for transferring large datasets across the Internet as part of its contracted services with health plans. According to Welltok, it was notified by Progress Software on May 31, 2023, about a vulnerability in the platform and applied the patch and mitigations as recommended by Progress Software. Its initial investigation suggested its MOVEit Transfer server had not been compromised. Then on July 26, 2023, it was alerted about an earlier breach of its MOVEit Transfer server, and on August 11, 2023, confirmed that the Clop group had exploited the vulnerability on May 30, 2023, the day before the patch was released. Data theft was confirmed on August 26, 2023.

A review of the affected files confirmed that they contained the data of health plan members such as names, dates of birth, addresses, and health information. Certain individuals also had their Social Security numbers, Medicare/Medicaid IDs, and health insurance information stolen. A substitute breach notification was uploaded to the Welltok website in October; however, it would only likely be found by individuals who visited the website, as the page had been set as no-index which meant it would not be indexed by search engines.

Welltok notified the Maine Attorney General about the data breach on behalf of the following group of health plans of Stanford Health Care, with the breach notice stating 1,648,848 individuals had been affected:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Stanford Health Care
  • Lucile Packard Children’s Hospital Stanford
  • Stanford Health Care Tri-Valley
  • Stanford Medicine Partners
  • Packard Children’s Health Alliance

A separate notification was sent to the Maine Attorney General by Welltok on behalf of Premier Health, a health system serving patients in southwestern Ohio, and Graphic Packaging International, LLC. Across these two clients, the information of 426,812 individuals was exposed. The Welltok website notification states it is providing notifications on behalf of Sutter Health, Trane Technologies Company LLC, and group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc. Those entities were not included in the Maine Attorney General notification. Sacramento, CA-based Sutter Health previously confirmed that it was affected by the Welltok data breach and said 845,451 individuals had been affected.

Arkansas-based St. Bernards Healthcare, Inc. separately reported the breach to the Maine Attorney General as affecting 89,556 individuals. Corewell Health, which serves patients in southeast Michigan, was also affected by the Welltok data breach and said approximately 1 million patients had been affected along with around 2,500 Priority Health members. The Hospital & Medical Foundation of Paris, Inc., which does business as Horizon Health said 16,598 had been affected, and 78,692 members of the health and wellness plan of the International Paper Company Group had their information compromised.

Other victims of the breach include Asuris Northwest Health, BridgeSpan Health, Blue Cross and Blue Shield of Minnesota and Blue Plus, Blue Cross and Blue Shield of Alabama, Blue Cross and Blue Shield of Kansas, Blue Cross and Blue Shield of North Carolina, Mass General Brigham Health Plan, Faith Regional Health Services, The Guthrie Clinic, Regence BlueCross BlueShield of Oregon, Regence BlueShield, Regence BlueCross BlueShield of Utah, Regence Blue Shield of Idaho, Yale New Haven Health, CHI Memorial, CHI St. Alexius, West Virginia University Medicine, OSF Healthcare, UnitedHealthcare, the Good Shepherd Health Care System, and Humana CenterWell Pharmacy.

“This is yet another stark example of supply chain vulnerabilities being exploited by cybercriminals. For far too long companies who develop software platforms have seen cybersecurity as an expense versus a functionality of doing business. Greater due diligence is necessitated by Virgin Pulse per runtime security and vulnerability management,” Tom Kellermann, SVP of Cyber Strategy at Contrast Security told the HIPAA Journal.

The latest tracking data from the cybersecurity firm Emsisoft shows the Clop hacking group mass exploited the vulnerability to attack at least 2,618 organizations globally, and the personal data of at least 77 million individuals was stolen. Emsisoft said the sectors most affected were education, healthcare, financial and professional services. While the vulnerability was exploited in late May, many organizations have only recently confirmed they were affected and those totals are certain to continue to rise. Many lawsuits have been filed in response to these data breaches, against the organizations affected as well as Progress Software. 58 lawsuits against Progress Software were consolidated into a single class action in Federal court in Massachusetts last month, as each made similar claims. The U.S. Securities and Exchange Commission (SEC) has also launched an investigation into Progress Software over the data breach.

“Once a vulnerability is made public, the hourglass is turned and IT teams have limited time before criminals take advantage of the vulnerability if they haven’t done so already,” Dror Liwer, co-founder of cybersecurity company Coro told the HIPAA Journal “To minimize the risk, removal of impacted software, or patching if available, must be immediate. Every sand grain that falls is an opportunity for the criminals, and an exposure to the organization.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist