8.5M Records Impacted By Welltok Data Breach Stemming From MOVEit Hack

November 29, 2023 - Healthcare software-as-a-service company Welltok recently notified 8.5 million individuals of a data breach stemming from the May 2023 MOVEit hack. The incident signifies one of the largest breaches reported to HHS in 2023. As previously reported, threat actors took advantage of a vulnerability in Progress Software’s MOVEit Transfer server, impacting MOVEit customers across the country.

Progress software disclosed the vulnerability on May 31 and issued a patch on the same day.

“Welltok had previously installed all published patches and security upgrades immediately upon such patches being made available by Progress Software, the developer of the MOVEit Transfer tool,” Welltok’s notice stated.

“Welltok also conducted an examination of our systems and networks using all information available to determine the potential impact of the vulnerabilities we were alerted to on the MOVEit Transfer server and the security of data housed on the server, and confirmed that there was no indication of any compromise at that time.”

However, further investigation by Welltok determined that an unauthorized actor had in fact exploited the vulnerabilities and exfiltrated certain data from the MOVEit Transfer server. Welltok notified millions of consumers on behalf of 20 healthcare providers and plans, including Sutter Health, Mass General Brigham Health Plan, and Blue Cross and Blue Shield of Minnesota, Alabama, Kansas, and North Carolina, among others.

The information involved in the breach may have included names, addresses, email addresses, and phone numbers. A small number of Social Security numbers, health insurance information, and Medicare/Medicaid ID numbers were also impacted.

“We take this event and the security of personal information in our care very seriously.  Upon learning of this event, we moved quickly to investigate and respond to the event and notify potentially affected individuals,” Welltok stated. 

“As part of our ongoing commitment to the security of information, we are reviewing and enhancing our existing policies and procedures related to data privacy to reduce the likelihood of a similar future event.”

Warren General Hospital Notifies Patients of Data Breach

Pennsylvania-based Warren General Hospital (WGH) notified 168,921 individuals of a healthcare data breach that occurred in September 2023. WGH detected suspicious activity within its network on September 24 and later determined that an unauthorized actor had accessed its systems between September 15 and September 23.

The threat actor downloaded information pertaining to current and former WGH patients and employees. The records contained names, dates of birth, Social Security numbers, payment card information, financial account information, health insurance claims information, addresses, and medical information.

WGH encouraged impacted individuals to monitor accounts and remain vigilant against incidents of identity theft.

“We take this event and the security of personal information in our care very seriously. Upon learning of this event, we moved quickly to investigate and respond, assess the security of our network, and notify potentially affected individuals,” WGH assured patients and employees.

“As part of our ongoing commitment to information security, we reviewed existing policies and procedures, enhanced administrative and technical controls, and provided additional security training to reduce the likelihood of a similar future event.”

Mission Community Hospital Suffers Breach

Mission Community Hospital, a two-campus acute care hospital in the San Fernando Valley, suffered a data breach in May 2023. Despite discovering the breach on May 1, Mission Community Hospital did not complete its analysis of the impacted information until November 21, when it began mailing letters to impacted patients.

The investigation determined that an unauthorized party had gained access to its IT network and accessed files containing patient information. The information varies by patient but may have included names, addresses, Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, financial account information, diagnosis information, and health insurance information.

The hospital encouraged patients to review healthcare statements for any suspicious activity. In addition, Mission Community Hospital pledged to adopt additional safeguards to further protect its systems from similar attacks.