Welltok Data Breach Impacts 8,493,379 Individuals

The patient engagement company, Welltok, based in Denver, has reported that it was attacked by the Clop hacking group in May 2023. The group exploited a zero-day vulnerability (CVE-2023-34362) found in the MOVEit Transfer file transfer tool of Progress Software. Initially, the number of people who were affected by the Welltok data breach is unclear. However, the HHS’ Office for Civil Rights has updated the breach total and lists 8,493,379 individuals who were affected by the breach. The Welltok data breach is 2023’s fourth-biggest healthcare data breach. Topping the list is HCA Healthcare’s 11,270,000 record breach, followed by PJ&A’s 8,952,212 record breach, and MCNA Dental’s 8,923,662 record breach.

Welltok works with health plan companies and provides communication services for their subscribers using its platform. It also runs a voluntary online wellness program encouraging health plan subscribers to adopt a healthy lifestyle. Welltok transferred large datasets across the web using the MOVEit Transfer tool as part of the services it provides to health plans. As per Welltok, it received a notification from Progress Software on May 31, 2023, regarding a vulnerability affecting its platform and implemented the patch and mitigations that Progress Software recommended. The preliminary investigation revealed that its MOVEit Transfer server was not compromised. On July 26, 2023, Welltok was notified regarding a breach of its MOVEit Transfer server. On August 11, 2023, it was confirmed that the vulnerability had been exploited by the Clop group on May 30, 2023. The patch was released after this day. On August 26, 2023, data theft was likewise confirmed.

An analysis of the breached files showed that they included the information of health plan members like names, birth dates, addresses, and medical data. The Social Security numbers, Medicaid/Medicare IDs, and medical insurance data of certain individuals were also stolen. The substitute breach notification posted on Welltok’s website in October was likely seen only by persons who visited the website.

Welltok sent a notification to the Maine Attorney General regarding the data breach on behalf of the health plans of Stanford Health Care listed below indicating that the breach affected 1,648,848 individuals.

  • Lucile Packard Children’s Hospital Stanford
  • Packard Children’s Health Alliance
  • Stanford Health Care
  • Stanford Medicine Partners
  • Stanford Health Care Tri-Valley

Welltok sent another notification to the Maine Attorney General on behalf of Graphic Packaging International, LLC, and Premier Health in southwestern Ohio. With these two clients, the data of 426,812 people was compromised. As per the Welltok website notification, it is giving notifications on behalf of Trane Technologies Company LLC, Sutter Health, and group health plans sponsored by Trane U.S. Inc. or Trane Technologies Company LLC. Those entities were not part of the Maine Attorney General notification. Sutter Health based in Sacramento, CA previously stated that it was impacted by the Welltok security breach with 845,451 people affected.

St. Bernards Healthcare, Inc. based in Arkansas separately submitted a breach report to the Maine Attorney General stating that 89,556 individuals were affected. Corewell Health in southeast Michigan was likewise impacted by the Welltok data breach and stated roughly 1 million patients were impacted together with about 2,500 Priority Health members. Horizon Health, also known as Hospital & Medical Foundation of Paris, Inc., stated that 16,598 were impacted. The data of 78,692 health and wellness plan members of the International Paper Company Group were compromised. Other breach victims include the Faith Regional Health Services, Mass General Brigham Health Plan, The Guthrie Clinic, Blue Cross and Blue Shield of Minnesota, Blue Cross, Blue Plus, and Blue Shield of Alabama, Blue Cross and Blue Shield of Kansas.

This data breach is one more stark case of cybercriminals exploiting supply chain vulnerabilities. For a long time companies who create software tools have looked at cybersecurity as an expenditure as opposed to a functionality of conducting business. Greater research is required by Virgin Pulse per runtime security and vulnerability management.

The most recent tracking information from the cybersecurity company Emsisoft indicates the Clop hacking group conducted mass exploitation of the vulnerability to attack about 2,618 companies worldwide and steal the personal information of about 77 million people. Emsisoft stated the industries most impacted were education, healthcare, professional and financial services. Although the vulnerability exploitation occurred at the end of May, numerous companies have just recently affirmed they were impacted and those numbers will continue to increase. A lot of lawsuits were filed against the companies impacted and also Progress Software because of these data breaches. 58 lawsuits against Progress Software were combined into just one class action lawsuit in Federal court in Massachusetts in November since each one had the same claims. The U.S. Securities and Exchange Commission (SEC) likewise started investigating Progress Software because of the data breach.

As soon as a vulnerability is announced to the public, IT teams have less time to take action before cybercriminals exploit the vulnerability if they have not done so yet. To reduce the risk, taking away the affected software, or patching when offered, should be quickly done. Criminals take advantage of every opportunity when an organization is open to exposure.