Welltok, Inc.

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Welltok, Inc., a healthcare services and support company and subsidiary of Virgin Pulse, experienced a significant data breach that was first identified on July 26, 2023. The breach involved unauthorized access to Welltok’s MOVEit server, a file-transfer program, which occurred on May 30, 2023. This incident resulted in the exposure of sensitive personal information belonging to patients of Welltok’s healthcare customers, including Elixir RX Solutions, OrthoNebraska, and OSF HealthCare System[1].

The compromised data varied by individual but may have included names, Social Security numbers, dates of birth, addresses, phone numbers, email addresses, medical record numbers, treatment information, diagnosis information, provider names, prescription information, health insurance information, and treatment cost information[1].

Welltok began sending out data breach notification letters to all affected individuals on December 4, 2023. The breach affected approximately 8.5 million records, making it one of the largest healthcare breaches reported in 2023[3]. The Clop hacking group was identified as the perpetrator, exploiting a zero-day vulnerability in the MOVEit Transfer tool[5].

The breach has led to numerous lawsuits and has raised concerns about the security of personal health information. Welltok has taken steps to review and enhance its existing policies and procedures related to data privacy to reduce the likelihood of a similar event in the future[3].

Affected individuals have been advised to monitor their accounts for any suspicious activity and to be vigilant against identity theft. Welltok is offering credit monitoring and identity prevention services to those impacted[11].

Citations:

  1. https://www.jdsupra.com/legalnews/welltok-announces-data-breach-affecting-6760008/
  2. https://www.humana.com
  3. https://healthitsecurity.com/news/8.5m-records-impacted-by-welltok-data-breach-stemming-from-moveit-hack
  4. https://securityaffairs.com/159085/data-breach/bank-of-america-third-party-services-data-breach.html
  5. https://www.hipaajournal.com/welltok-data-breach/
  6. https://securityaffairs.com/159093/cyber-crime/romanian-hospitals-ransomware-attack.html
  7. https://www.25newsnow.com/2023/12/14/7-months-later-software-firm-welltok-informs-osf-patients-data-breach/
  8. https://securityaffairs.com/158969/malware/raspberry-robin-1-day-exploits.html
  9. https://cybernews.com/news/welltok-moveit-breach-impacts-millions/
  10. https://www.bitdefender.com
  11. https://dayton247now.com/news/local/data-breach-at-health-software-company-welltok-impacts-84-million-including-premier-health-patients
  12. https://securityaffairs.com/158942/malware/macos-backdoor-rustdoor.html
  13. https://www.gshealth.org/welltok-inc-data-breach
  14. https://www.wphospital.org
  15. https://www.michigan.gov/ag/news/press-releases/2023/12/01/corewell-health-data-breach-exposes-info-of-one-million-michigan-patients
  16. https://www.bluecrossnc.com
Breach Submission Date Nov 06, 2023
Converted Entity Name Welltok, Inc.
Converted Entity Type Business Associate
State CO
Individuals Affected 8,493,379
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes