Hackers gained access to the personal data of more than a million people by exploiting a vulnerability in a file transfer tool used by Welltok, the healthcare platform owned by Virgin Pulse.
Welltok, a Denver-based patient engagement company that works with health plans to provide communications to subscribers about their health care, has been confirmed in Data breach notification It was filed with the Maine Attorney General last week that hackers accessed sensitive data of more than 1.6 million individuals.
In a letter sent to those affected, Welltok said it was alerted to a previous alleged breach of its MOVEit Transfer server, a system that allows organizations to transfer large sets of often sensitive data over the Internet, after the system’s developer published details of a vulnerability earlier this year. . Wiltock said she initially decided in July that there was no sign of a settlement. A second investigation, launched by the company in August, found that hackers “leaked certain data” from Welltok’s MOVEit Transfer server.
The compromised data includes individuals’ names, dates of birth, addresses and health information, according to the letter.
in A notice posted on its website First published in late October, Welltok said the hackers also gained access to Social Security numbers, Medicare and Medicaid ID numbers, and health insurance information for some patients.
TechCrunch found that Welltok’s data breach website included a “noindex” code, which tells search engines to ignore the webpage, making it difficult for affected customers to find the statement by searching for it. It’s not clear why Welltok hid the data breach notification from search engines.
Wiltock said the breach affected the group healthcare plans of Stanford Health Care, Lucille Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners and Packard Children’s Health Alliance, which Wiltock said she notified on October 18.
However, it appears that the Welltok hack may affect a larger number of healthcare providers — and a larger number of individuals — than Welltok disclosed to the Maine attorney general.
Corewell Health, a healthcare provider in southeast Michigan that uses Welltok to communicate with patients, said in a statement press release Last week, the health information of about 1 million patients, along with about 2,500 Priority Health members, was compromised due to the Welltok hack.
Sutter Health, a health care nonprofit also based in Sacramento Certain More than 840,000 of its patients were affected by the Welltok hack.
St. Bernards, an Arkansas-based health care provider that uses Welltok’s patient contact management platform, was also affected, the company said in a statement. statement. in Deposit earlier With the Maine Attorney General, Wiltock confirmed that the breach affected nearly 90,000 patients at St. Bernards.
The breach notifications for Corewell, Sutter and St. Bernards has about 1.9 million patients, which is much more than the number of affected patients revealed by Welltok.
TechCrunch asked Welltok for comment, but did not receive a response as of press time.
according to Researchers at cybersecurity company Emsisoftthe MOVEit mass hacks — said to be the largest hacking incident this year in terms of the number of individuals affected alone — have affected more than 2,600 organizations to date, most of which are based in the United States.
Emsisoft estimates that more than 77 million individuals have so far been affected by cyberattacks, claimed by the notorious Clop Ransomware gang. The true number of affected individuals is expected to be much higher as more organizations come forward.