The Denver-based patient engagement company, WellTok, has recently confirmed that it was one of the victims of the Clop hacking group, which exploited a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer file transfer tool in May 2023. Around 3.5 million individuals have been notified they have been affected by the Welltok data breach.

Welltok, which is owned by Virgin Pulse, works with health plan providers and manages communications with their subscribers through its platform. The company also operates a voluntary online wellness program for health plan subscribers that encourages healthy lifestyle changes. Welltok used the MOVEit Transfer tool for transferring large datasets across the Internet as part of its contracted services with health plans. According to Welltok, it was notified by Progress Software on May 31, 2023, about a vulnerability in the platform and applied the patch and mitigations as recommended by Progress Software. Its initial investigation suggested its MOVEit Transfer server had not been compromised. Then on July 26, 2023, it was alerted about an earlier breach of its MOVEit Transfer server, and on August 11, 2023, confirmed that the Clop group had exploited the vulnerability on May 30, 2023, the day before the patch was released. Data theft was confirmed on August 26, 2023.

A review of the affected files confirmed that they contained the data of health plan members such as names, dates of birth, addresses, and health information. Certain individuals also had their Social Security numbers, Medicare/Medicaid IDs, and health insurance information stolen. A substitute breach notification was uploaded to the Welltok website in October; however, it would only likely be found by individuals who visited the website, as the page had been set as no-index which meant it would not be indexed by search engines.

Welltok notified the Maine Attorney General about the data breach, which was reported as affecting 1,648,848 individuals. The notification was issued on behalf of the following group of health plans of Stanford Health Care:

• Stanford Health Care
• Lucile Packard Children’s Hospital Stanford
• Stanford Health Care Tri-Valley
• Stanford Medicine Partners
• Packard Children’s Health Alliance

The Welltok website notification states it is providing notifications on behalf of Sutter Health, Trane Technologies Company LLC, and group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc. Those entities were not included in the Maine Attorney General notification. Sacramento, CA-based Sutter Health previously confirmed that it was affected by the Welltok data breach and said 845,451 individuals had been affected.

Arkansas-based St. Bernards Healthcare, Inc. separately reported the breach to the Maine Attorney General as affecting 89,556 individuals. Corewell Health, which serves patients in southeast Michigan, was also affected by the Welltok data breach and said approximately 1 million patients had been affected along with around 2,500 Priority Health members. Based on the reports so far, Welltok has notified around 3.5 million individuals that they were affected.

“Yet another stark example of supply chain vulnerabilities being exploited by cybercriminals. For far too long companies who develop software platforms have seen cybersecurity as an expense versus a functionality of doing business. Greater due diligence is necessitated by Virgin Pulse per runtime security and vulnerability management,” Tom Kellermann, SVP of Cyber Strategy at Contrast Security told the HIPAA Journal.

The latest tracking data from the cybersecurity firm Emsisoft shows the Clop hacking group mass exploited the vulnerability to attack at least 2,618 organizations globally, and the personal data of at least 77 million individuals was stolen. Emsisoft said the sectors most affected were education, healthcare, financial and professional services. While the vulnerability was exploited in late May, many organizations have only recently confirmed they were affected and those totals are certain to continue to rise. Many lawsuits have been filed in response to these data breaches, against the organizations affected as well as Progress Software. 58 lawsuits against Progress Software were consolidated into a single class action in Federal court in Massachusetts last month, as each made similar claims. The U.S. Securities and Exchange Commission (SEC) has also launched an investigation into Progress Software over the data breach.

“Once a vulnerability is made public, the hourglass is turned and IT teams have limited time before criminals take advantage of the vulnerability if they haven’t done so already,” Dror Liwer, co-founder of cybersecurity company Coro told the HIPAA Journal “To minimize the risk, removal of impacted software, or patching if available, must be immediate. Every sand grain that falls is an opportunity for the criminals, and an exposure to the organization.”

The post WellTok Data Breach: At Least 3.5 Million Individuals Notified appeared first on HIPAA Journal.