Hackers accessed the personal data of more than a million people by exploiting a security vulnerability in a file transfer tool used by Welltok, the healthcare platform that owned by Virgin Pulse.
Welltok, a Denver-based patient engagement company that works with health care plans to provide communications to subscribers about their health care, confirmed in a data breach notification Maine’s Attorney General filed last week that hackers accessed the sensitive data of more than 1.6 million individuals.
In a letter sent to those affected, Welltok said it was alerted to a first alleged compromise of the MOVEit Transfer server, a system that allows organizations to move large sets of often sensitive data to internet, after the system’s developer published details of a software vulnerability earlier this year. Welltok said it first determined in July that there was no sign of a compromise. A second investigation, launched by the company in August, found that hackers “exfiltrated some data” from Welltok’s MOVEit Transfer server.
The compromised data included the individual’s name, date of birth, address, and health information, according to the letter.
In a notice published on its website first published in late October, Welltok said the hackers also accessed Social Security numbers, Medicare and Medicaid ID numbers, and health insurance information for some patients.
TechCrunch found that Welltok’s data breach website included the “noindex” code, which tells search engines to ignore the web page, effectively making it difficult for affected customers to find the statement by searching for it. It is unclear why Welltok hid the data breach notification from search engines.
Welltok said the breach affected group health care plans at Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance, which Welltok said which was announced on October 18.
However, it appears that Welltok’s breach may affect more health care providers — and more individuals — than Welltok’s disclosure to Maine’s attorney general indicated.
Corewell Health, a health care service provider in southeast Michigan that uses Welltok for patient communication, said in a press release last week that the health information of approximately one million patients, along with nearly 2,500 Priority Health members, was compromised in Welltok’s breach.
Sutter Health, a non-profit healthcare provider headquartered in Sacramento, too confirmed that more than 840,000 of its patients were affected by the Welltok breach.
St. Bernards, an Arkansas-based healthcare provider that uses a Welltok patient contact management platform, is also affected, the company said in a statement. In a early filing along with Maine’s Attorney General, Welltok confirmed that the breach affected nearly 90,000 patients in St. Bernard.
Violation notices for Corewell, Sutter, and St. Bernards accounts for about 1.9 million patients, more than the number of affected patients disclosed by Welltok.
TechCrunch asked Welltok for comment, but did not receive a response by the time of publication.
According to researcher at cybersecurity firm EmsisoftThe MOVEit mass-hacks – said to be the biggest hacking incident of the year by the number of individuals affected alone – have affected more than 2,600 organizations to date, the majority of which are based in the United States.
Emsisoft estimates that more than 77 million individuals have been affected so far by cyberattacks, claimed by the notorious Clop ransomware gang. The actual number of affected individuals is expected to be higher as more organizations come forward.