Welltok, Inc.
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
Welltok, Inc., a healthcare services and support company and subsidiary of Virgin Pulse, experienced a significant data breach that was first identified on July 26, 2023. The breach involved unauthorized access to Welltok’s MOVEit server, a file-transfer program, which occurred on May 30, 2023. This incident resulted in the exposure of sensitive personal information belonging to patients of Welltok’s healthcare customers, including Elixir RX Solutions, OrthoNebraska, and OSF HealthCare System[1].
The compromised data varied by individual but may have included names, Social Security numbers, dates of birth, addresses, phone numbers, email addresses, medical record numbers, treatment information, diagnosis information, provider names, prescription information, health insurance information, and treatment cost information[1].
Welltok began sending out data breach notification letters to all affected individuals on December 4, 2023. The breach affected approximately 8.5 million records, making it one of the largest healthcare breaches reported in 2023[3]. The Clop hacking group was identified as the perpetrator, exploiting a zero-day vulnerability in the MOVEit Transfer tool[5].
The breach has led to numerous lawsuits and has raised concerns about the security of personal health information. Welltok has taken steps to review and enhance its existing policies and procedures related to data privacy to reduce the likelihood of a similar event in the future[3].
Affected individuals have been advised to monitor their accounts for any suspicious activity and to be vigilant against identity theft. Welltok is offering credit monitoring and identity prevention services to those impacted[11].
Citations:
- https://www.jdsupra.com/legalnews/welltok-announces-data-breach-affecting-6760008/
- https://www.humana.com
- https://healthitsecurity.com/news/8.5m-records-impacted-by-welltok-data-breach-stemming-from-moveit-hack
- https://securityaffairs.com/159085/data-breach/bank-of-america-third-party-services-data-breach.html
- https://www.hipaajournal.com/welltok-data-breach/
- https://securityaffairs.com/159093/cyber-crime/romanian-hospitals-ransomware-attack.html
- https://www.25newsnow.com/2023/12/14/7-months-later-software-firm-welltok-informs-osf-patients-data-breach/
- https://securityaffairs.com/158969/malware/raspberry-robin-1-day-exploits.html
- https://cybernews.com/news/welltok-moveit-breach-impacts-millions/
- https://www.bitdefender.com
- https://dayton247now.com/news/local/data-breach-at-health-software-company-welltok-impacts-84-million-including-premier-health-patients
- https://securityaffairs.com/158942/malware/macos-backdoor-rustdoor.html
- https://www.gshealth.org/welltok-inc-data-breach
- https://www.wphospital.org
- https://www.michigan.gov/ag/news/press-releases/2023/12/01/corewell-health-data-breach-exposes-info-of-one-million-michigan-patients
- https://www.bluecrossnc.com