Sensitive personal data of over 8 million people was accessed by hackers who exploited a security vulnerability in a file transfer tool used by Welltok, the healthcare platform owned by Virgin Pulse.
Welltok, a Denver-based patient engagement company, specializes in working with healthcare plans to provide communications to subscribers about their healthcare. However, it recently confirmed in a notice published on its website in late October that it had experienced a data breach. This breach occurred after hackers compromised its MOVEit Transfer server, a system that enables organizations to transfer large sets of often-sensitive data over the internet.
An in-depth analysis by TechCrunch showed that Welltok’s data breach notice includes “noindex” code, indicating that search engines are to ignore the web page, which makes it more difficult for affected customers to find the statement through online searches. Welltok’s motive for concealing its data breach notification from search engines remains unclear.
Last week, the company reported in a data breach notification filed with Maine’s attorney general that the MOVEit hackers had accessed the sensitive data of over 1.6 million individuals. However, additional healthcare providers partnering with Welltok also confirmed that they had been impacted by the breach, implying that the number of affected individuals exceeded the figure stated in Welltok’s disclosure to Maine’s attorney general.
On Thursday, an update to the U.S. Department of Health and Human Services breach portal confirmed that the Welltok breach had impacted over 8 million individuals in total, making it the second largest MOVEit breach, following the breach of U.S. government contractor Maximus, which affected 11 million individuals.
According to Welltok, the compromised data includes individuals’ names, dates of birth, addresses, Social Security numbers, health information, Medicare and Medicaid ID numbers, and health insurance information.
The full list of impacted healthcare providers has not been disclosed yet.
In its filing with Maine’s attorney general, Welltok stated that the breach affected the group healthcare plans of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance, which Welltok notified on October 18.
Furthermore, Corewell Health, a provider of healthcare services in southeast Michigan that uses Welltok for patient communication, revealed in a press release last week that the health information of approximately one million patients, along with around 2,500 Priority Health members, was compromised by Welltok’s breach.
Sutter Health, a nonprofit healthcare provider based in Sacramento, also confirmed that over 840,000 of its patients were impacted by the Welltok breach.
St. Bernards, a healthcare provider in Arkansas using a patient contact-management platform by Welltok, also reported being affected in a statement. In an earlier filing with Maine’s attorney general, Welltok confirmed that the breach impacted nearly 90,000 St. Bernards patients.
TechCrunch has reached out to Welltok for comment but has not received a response at the time of publication.
According to researchers at cybersecurity firm Emsisoft, the MOVEit mass-hacks, believed to be the biggest hacking incident of the year in terms of the number of individuals affected alone, have affected over 2,600 organizations to date, predominantly based in the United States.
Emsisoft estimates that the cyberattacks, claimed by the notorious Clop ransomware gang, have impacted over 82 million individuals so far. The actual number of affected individuals is expected to be significantly higher as more organizations come forward.
UPDATE, Nov. 22, 14:30 p.m. ET: This article has been updated to include figures from the U.S. Department of Health and Human Services breach portal.