Hospital & Medical Foundation of Paris, Inc

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The breach at the Hospital & Medical Foundation of Paris, Inc., doing business as Horizon Health, was part of a larger cybersecurity incident involving Welltok, Inc., a healthcare SaaS provider. This incident was a consequence of a cyberattack on Welltok’s MOVEit Transfer server, which occurred on July 26, 2023. The attack exploited a zero-day vulnerability in the MOVEit software, leading to the exposure of personal information belonging to nearly 8.5 million patients across the United States, including those associated with Horizon Health in Illinois.

The data compromised in this breach included sensitive patient information such as full names, email addresses, physical addresses, and telephone numbers. For some individuals, more sensitive data such as Social Security Numbers (SSNs), Medicare/Medicaid ID numbers, and specific health insurance information were also exposed. The breach was attributed to the activities of the Clop ransomware gang, which took advantage of the software vulnerability to execute the attack.

Horizon Health was among numerous healthcare providers and organizations affected by this breach, which had a significant impact on institutions in several states, including Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois, and Massachusetts. The breach at Horizon Health specifically affected 16,598 individuals[4][15].

Welltok responded to the incident by publishing a notice of the data breach and reported the breach to the U.S. Department of Health and Human Services, confirming that 8,493,379 individuals were impacted overall. This incident ranks as the second-largest MOVEit data breach, following the Maximus breach that affected 11 million people[3][7]. Welltok has offered free credit monitoring to all impacted individuals and has resolved the system and security concerns related to the breach[2].

Citations:

  1. https://www.myhorizonhealth.org/patients-visitors/welltok-breach-2023/
  2. https://www.cbsnews.com/detroit/news/corewell-health-security-breach-priority-welltok-inc-information-concerns/
  3. https://www.zzservers.com/massive-welltok-data-breach-confidential-information-of-8-5-million-us-patients-exposed/
  4. https://www.hipaajournal.com/welltok-data-breach/
  5. https://www.michigan.gov/ag/news/press-releases/2023/12/01/corewell-health-data-breach-exposes-info-of-one-million-michigan-patients
  6. https://heimdalsecurity.com/blog/welltok-data-breach-affects-over-8-5-million-patients/
  7. https://www.bleepingcomputer.com/news/security/welltok-data-breach-exposes-data-of-85-million-us-patients/
  8. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
  9. https://timesofindia.indiatimes.com/gadgets-news/welltok-hack-exposed-the-personal-data-of-around-8-5-million-patients-in-the-us/articleshow/105474548.cms
  10. https://kffhealthnews.org/news/hospital-penalties/
  11. https://www.mlive.com/news/2023/12/national-data-breach-could-affect-1-million-corewell-health-clients-other-health-systems.html
  12. https://www.myhorizonhealth.org/blog-news/2023/december/horizon-health-a-top-hospital-for-physician-comm/
  13. https://www.askwoody.com/forums/topic/welltok-data-breach-exposes-data-of-8-5-million-us-patients/
  14. https://www.linkedin.com/posts/carol-forden_welltok-data-breach-exposes-data-of-85-million-activity-7134191866291392512-69Kd
  15. https://www.hipaajournal.com/october-2023-healthcare-data-breach-report/
Breach Submission Date Oct 19, 2023
Converted Entity Name Hospital & Medical Foundation of Paris, Inc
Converted Entity Type Healthcare Provider
State IL
Individuals Affected 16,598
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes