Hackers accessed the non-public information of greater than one million folks by exploiting a safety vulnerability in a file switch software utilized by Welltok, the healthcare platform owned by Virgin Pulse.
Welltok, a Denver-based affected person engagement firm that works with healthcare plans to offer communications to subscribers about their healthcare, confirmed in a data breach notification filed with Maine’s legal professional normal final week that hackers accessed the delicate information of greater than 1.6 million people.
In a letter despatched to these affected, Welltok mentioned it was alerted to an earlier alleged compromise of its MOVEit Switch server, a system that enables organizations to maneuver giant units of often-sensitive information over the web, after the system’s developer published details of a software vulnerability earlier this yr. Welltok mentioned it initially decided in July that there was no indication of a compromise. A second investigation, launched by the corporate in August, discovered that hackers “exfiltrated sure information” from Welltok’s MOVEit Switch server.
The compromised information contains people’ title, date of delivery, addresses, and well being info, in response to the letter.
In a notice published on its website first printed in late October, Welltok mentioned that hackers additionally accessed Social Safety numbers, Medicare and Medicaid ID numbers, and medical insurance info for some sufferers.
TechCrunch discovered that Welltok’s information breach web site contains “noindex” code, which tells engines like google to disregard the net web page, successfully making it harder for affected prospects to search out the assertion by trying to find it. It’s not clear for what purpose Welltok hid its information breach notification from engines like google.
Welltok mentioned that the breach affected the group healthcare plans of Stanford Well being Care, Lucile Packard Kids’s Hospital Stanford, Stanford Well being Care Tri-Valley, Stanford Drugs Companions, and Packard Kids’s Well being Alliance, which Welltok mentioned it notified on October 18.
Nonetheless, it seems the Welltok breach could have an effect on extra healthcare suppliers — and extra people — than acknowledged in Welltok’s disclosure with Maine’s legal professional normal.
Corewell Well being, a supplier of healthcare providers in southeast Michigan that makes use of Welltok for affected person communication, mentioned in a press release final week that the well being info of roughly a million sufferers, together with round 2,500 Precedence Well being members, was compromised by Welltok’s breach.
Sutter Well being, a non-profit healthcare supplier headquartered in Sacramento, additionally confirmed that greater than 840,000 of its sufferers have been impacted by the Welltok breach.
St. Bernards, an Arkansas-based healthcare supplier that makes use of a affected person contact-management platform by Welltok, was additionally affected, the corporate mentioned in a statement. In an earlier filing with Maine’s legal professional normal, Welltok confirmed that the breach impacted nearly 90,000 St. Bernards sufferers.
The breach notifications for Corewell, Sutter, and St. Bernards account for about 1.9 million sufferers, way over the variety of affected sufferers that Welltok disclosed.
TechCrunch has requested Welltok for remark, however has not acquired a response on the time of publication.
In line with researchers at cybersecurity firm Emsisoft, the MOVEit mass-hacks — mentioned to be the biggest hacking incident of the year by the variety of people affected alone — have impacted greater than 2,600 organizations so far, the vast majority of that are primarily based in the USA.
Emsisoft estimates that over 77 million people have been impacted to this point by the cyberattacks, which have been claimed by the infamous Clop ransomware gang. The true variety of affected people is predicted to be considerably larger as extra organizations come ahead.