Virgin Pulse’s healthcare platform, Welltok’s file transfer tool, was hacked to steal over a million people’s personal data.
Welltok, a Denver-based patient engagement company that works with healthcare plans to communicate with subscribers, informed Maine’s attorney general last week that hackers stole more than 1.6 million people’s sensitive data.
Welltok informed affected parties of an earlier alleged compromise of its MOVEit Transfer server, which allows organizations to move large amounts of sensitive data over the internet, after the system’s developer published details of a software vulnerability earlier this year. In July, Welltok found no compromise. According to a second Welltok probe in August, hackers “exfiltrated certain data” from its MOVEit Transfer server.
The letter says the exposed data includes names, birthdates, residences, and health information.
In late October, Welltok announced on its website that hackers had acquired some patients’ Social Security numbers, Medicare and Medicaid ID numbers, and health insurance information.
It was revealed that Welltok’s data breach website has a “noindex” code, which directs search engines to disregard the page, making it harder for affected consumers to see the statement. It’s unclear why Welltok hid its data breach notification from search engines.
Welltok informed Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance on October 18 that the breach affected their group healthcare plans.
The Welltok breach may affect more healthcare providers and individuals than Welltok disclosed to Maine’s attorney general.
Last week, Corewell Health, a southeast Michigan healthcare provider that uses Welltok for patient communication, announced that Welltok’s breach compromised the health information of one million patients and 2,500 Priority Health members.
The Welltok incident, according to Sacramento-based non-profit Sutter Health, affected about 840,000 of its patients.
St. Bernards, an Arkansas healthcare provider that uses Welltok’s patient contact-management software, was also compromised, the company said. Welltok informed Maine’s attorney general that the breach affected nearly 90,000 St. Bernard’s patients.
The breach alerts for Corewell, Sutter, and St. Bernards include 1.9 million patients, significantly more than Welltok revealed.
At publishing, Welltok had not responded to the request for comment.
Emsisoft experts say the MOVEit mass hacks, the largest hacking incident of the year by number of victims, have hit over 2,600 businesses, most of which are in the US.
Emsisoft estimates that the Clop ransomware gang’s intrusions have affected approximately 77 million people. As more organizations come forward, the true number of affected people will rise.