Hackers accessed the personal data of more than 8 million people by exploiting a security vulnerability in a file transfer tool used by Welltok, the healthcare platform owned by Virgin Pulse.
Welltok, a Denver-based patient engagement company that works with health care plans to deliver communications to subscribers about their health care, was first confirmed in notice published on its website in late October that it had suffered a data breach after hackers breached the MOVEit Transfer server, a system that allows organizations to move large sets of often sensitive data over the Internet.
TechCrunch found that Welltok’s data breach notification includes “noindex” code, which tells search engines to ignore the webpage, effectively making it harder for affected customers to find the statement by searching for it. It is unclear why Welltok hid the data breach notification from search engines.
Last week, the company stated in a data breach notification testified to the Maine attorney general that MOVEit hackers accessed the sensitive data of more than 1.6 million people. However, additional healthcare providers that work with Welltok also confirmed they were affected by the breach, suggesting that more people were affected than the number listed in Welltok’s disclosure with the Maine attorney general.
On Thursday, an update to the US Department of Health and Human Services breach gate confirmed that the Welltok breach had affected more than 8 million people in total. This makes the incident the second largest MOVEit breach, after the US government contractor Maximus breach that affected 11 million people.
As confirmed by Welltok, the breached data includes people’s names, dates of birth, addresses, social security numbers, health information, Medicare and Medicaid identification numbers and health insurance information.
The full list of affected healthcare providers is not yet known.
In its filing with the Maine attorney general, Welltok said the breach affected the group health care plans of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners and Packard Children’s Health Alliance, which Welltok shared. on October 18.
Separately, Corewell Health, a health care provider in southeast Michigan that uses Welltok to communicate with patients, said in Press release last week that the health information of about one million patients, along with about 2,500 Priority Health members, was compromised in the Welltok breach.
Sutter Health, a nonprofit healthcare provider based in Sacramento, as well confirmed that more than 840,000 of its patients were affected by the Welltok breach.
St. Bernards, an Arkansas-based healthcare provider that uses a patient contact management platform from Welltok, was also affected, the company said in a statement. statement. In one previous deposit with the Maine attorney general, Welltok confirmed that the breach affected nearly 90,000 patients of St. Bernards.
TechCrunch reached out to Welltok for comment, but did not receive a response at the time of publication.
According researchers at cybersecurity firm Emsisoftthe massive MOVEit breaches – said to be the largest hacking incident of the year by the number of people affected alone – have affected more than 2,600 organizations to date, the majority of which are based in the United States.
Emsisoft estimates that over 82 million people have been affected so far by the cyber attacks carried out by the notorious Clop ransomware gang. The actual number of people affected is expected to be significantly higher as more organisms emerge.
UPDATE, November 22, 2:30 p.m. ET: This article has been updated to include information from the US Department of Health and Human Services breach portal.
