Hackers accessed the personal data of more than a million people by exploiting a security vulnerability in a file transfer tool used by Welltok, the healthcare platform owned by Virgin Pulse.
Welltok, a Denver-based patient engagement company that works with healthcare plans to provide communications to subscribers about their healthcare, confirmed in a data breach notification filed with Maine’s attorney general last week that hackers accessed the sensitive data of more than 1.6 million individuals.
In a letter sent to those affected, Welltok said it was alerted to an earlier alleged compromise of its MOVEit Transfer server, a system that allows organizations to move large sets of often-sensitive data over the internet, after the system’s developer published details of a software vulnerability earlier this year. Welltok said it initially determined in July that there was no indication of a compromise. A second investigation, launched by the company in August, found that hackers “exfiltrated certain data” from Welltok’s MOVEit Transfer server.
The compromised data includes individuals’ names, dates of birth, addresses and health information, according to the letter.
In a notice published on its website first published in late October, Welltok said that hackers also accessed Social Security numbers, Medicare and Medicaid ID numbers and health insurance information for some patients.
TechCrunch found that Welltok’s data breach website includes “noindex” code, which tells search engines to ignore the web page, effectively making it more difficult for affected customers to find the statement by searching for it. It’s not clear for what reason Welltok hid its data breach notification from search engines.
Welltok said that the breach affected the group healthcare plans of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners and Packard Children’s Health Alliance, which Welltok said it notified on October 18.
However, it appears the Welltok breach may affect more healthcare providers — and more individuals — than stated in Welltok’s disclosure with Maine’s attorney general.
Corewell Health, a provider of healthcare services in southeast Michigan that uses Welltok for patient communication, said in a press release last week that the health information of approximately one million patients, along with around 2,500 Priority Health members, was compromised by Welltok’s breach.
Sutter Health, a nonprofit healthcare provider headquartered in Sacramento, also confirmed that more than 840,000 of its patients were impacted by the Welltok breach.
St. Bernards, an Arkansas-based healthcare provider that uses a patient contact-management platform by Welltok, was also affected, the company said in a statement. In an earlier filing with Maine’s attorney general, Welltok confirmed that the breach impacted almost 90,000 St. Bernards patients.
The breach notifications for Corewell, Sutter and St. Bernards account for about 1.9 million patients, far more than the number of affected patients that Welltok disclosed.
TechCrunch has asked Welltok for comment, but has not received a response at the time of publication.
According to researchers at cybersecurity firm Emsisoft, the MOVEit mass-hacks — said to be the biggest hacking incident of the year by the number of individuals affected alone — have impacted more than 2,600 organizations to date, the majority of which are based in the United States.
Emsisoft estimates that over 77 million individuals have been impacted so far by the cyberattacks, which have been claimed by the notorious Clop ransomware gang. The true number of affected individuals is expected to be significantly higher as more organizations come forward.