Update: Data breach at Welltok exposes 8.5 million US patients' information

The company, Welltok, experienced a breach following a hacking incident involving a file transfer program they use. Welltok partners with health service providers to maintain online wellness programs and manage databases containing patient data.

Nov 23, 2023 - 16:00
  Source
 0  55
Update: Data breach at Welltok exposes 8.5 million US patients' information

Healthcare SaaS company Welltok has announced a significant data breach, impacting nearly 8.5 million patients in the United States. The breach occurred after a file transfer service used by Welltok was compromised in a cyberattack.

Welltok, which collaborates with health service providers nationwide, manages online wellness programs and holds databases containing personal patient information. The company also engages in generating predictive analytics and supports various healthcare functions, including medication adherence and pandemic response efforts.

Earlier in the year, the Clop ransomware gang targeted a zero-day vulnerability in the MOVEit software, leading to breaches at numerous organizations globally, followed by extortion demands and data leaks affecting over 77 million individuals.

In late October, Welltok disclosed a data incident, stating that its MOVEit Transfer server was breached on July 26, 2023. The breach occurred despite the company's prompt application of security updates provided by the vendor.

The exposed data includes patients' full names, email addresses, physical addresses, and phone numbers. In some cases, sensitive information such as Social Security Numbers (SSNs), Medicare/Medicaid ID numbers, and health insurance details were also compromised.

The breach has affected healthcare providers across multiple states, including Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois, and Massachusetts. Institutions impacted by the breach include various Blue Cross and Blue Shield entities, Corewell Health, Faith Regional Health Services, Mass General Brigham Health Plan, Priority Health, St. Bernards Healthcare, Sutter Health, Trane Technologies Company LLC, and several group health plans associated with Stanford Health Care and The Guthrie Clinic.

Initially, the scale of the breach was unclear as Welltok did not immediately disclose the number of affected individuals. However, a recent report filed with the U.S. Department of Health and Human Services' breach portal confirmed that the incident impacted 8,493,379 people. This makes the Welltok breach the second-largest MOVEit-related data breach after the incident at Maximus, which affected 11 million individuals.