Hackers accessed Welltok's sensitive patient health data

Hackers accessed the personal data of more than a million people by exploiting a security vulnerability in a file transfer tool used by Welltok, the platform healthcare owned by Virgin Pulse.

Welltok, a Denver-based patient engagement company that works with health care plans to provide communications to subscribers about their health care, confirmed in data breach notification testified to the Maine attorney general last week that hackers accessed the sensitive data of more than 1,6 million people.

In a letter sent to those affected, Welltok said it was notified of an earlier alleged server compromise MOVEit Transfer, a system that allows organizations to move large sets of often sensitive data over the Internet, after the system's developer published details of a software vulnerability earlier this year. Welltok said it initially determined in July that there was no indication of compromise. A second investigation, launched by the company in August, found that hackers "exfiltrated some data" from Welltok's MOVEit Transfer server.

The breached data includes people's name, date of birth, addresses and health information, according to the letter.

In a notice published on its website First reported in late October, Welltok said the hackers also accessed Social Security numbers, Medicare and Medicaid ID numbers, and health insurance information for some patients.

TechCrunch found that Welltok's breached website includes "noindex" code, which tells search engines to ignore the webpage, effectively making it harder for affected customers to find the statement by searching for it. It is unclear why Welltok hid the data breach notification from search engines.

Welltok said the breach affected the group health care plans of Stanford Health Care, Lucile Packard Children's Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners and Packard Children's Health Alliance, which Welltok said it notified on Oct. 18.

However, it appears that the Welltok breach may affect more health care providers – and more people – than Welltok's disclosure with the Maine attorney general indicates.

Corewell Health, a provider of healthcare services in the Southeast Michigan who uses Welltok to communicate with patients, said in Press release last week that the health information of about one million patients, along with about 2.500 Priority Health members, was compromised in the Welltok breach.

Sutter Health, a nonprofit healthcare provider based in Sacramento, as well confirmed that more than 840.000 of its patients were affected by the Welltok breach.

Ο St. Bernards, ένας πάροχος υγειονομικής περίθαλψης με έδρα το Αρκάνσας που χρησιμοποιεί μια πλατφόρμα διαχείρισης επαφών ασθενών από την Welltok, επηρεάστηκε επίσης, δήλωσε η εταιρεία σε μια statement. In one previous deposit with the Maine attorney general, Welltok confirmed that the breach affected nearly 90.000 patients of St. Bernards.

Violation notices for Corewell, Sutter and St. Bernards account for about 1,9 million patients, far more than the number of affected patients disclosed by Welltok.

TechCrunch reached out to Welltok for comment, but did not receive a response at the time of publication.

According researchers at cybersecurity firm Emsisoftthe MOVEit mass breaches — said to be the largest incident hacking of the year by the number of people affected alone — have affected more than 2.600 organizations to date, the majority of which are based in the United States.

Emsisoft estimates that over 77 million people have been affected so far by the cyber attacks carried out by the notorious gang ransomware Clop. The actual number of people affected is expected to be significantly higher as more organisms emerge.