WellTok Data Breach: At Least 3.5 Million Individuals Notified

Posted by Steve Alder

The Denver-based patient engagement company, WellTok, has recently confirmed that it was one of the victims of the Clop hacking group, which exploited a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer file transfer tool in May 2023. Around 3.5 million individuals have been notified they have been affected by the Welltok data breach.

Welltok, which is owned by Virgin Pulse, works with health plan providers and manages communications with their subscribers through its platform. The company also operates a voluntary online wellness program for health plan subscribers that encourages healthy lifestyle changes. Welltok used the MOVEit Transfer tool for transferring large datasets across the Internet as part of its contracted services with health plans. According to Welltok, it was notified by Progress Software on May 31, 2023, about a vulnerability in the platform and applied the patch and mitigations as recommended by Progress Software. Its initial investigation suggested its MOVEit Transfer server had not been compromised. Then on July 26, 2023, it was alerted about an earlier breach of its MOVEit Transfer server, and on August 11, 2023, confirmed that the Clop group had exploited the vulnerability on May 30, 2023, the day before the patch was released. Data theft was confirmed on August 26, 2023.

A review of the affected files confirmed that they contained the data of health plan members such as names, dates of birth, addresses, and health information. Certain individuals also had their Social Security numbers, Medicare/Medicaid IDs, and health insurance information stolen. A substitute breach notification was uploaded to the Welltok website in October; however, it would only likely be found by individuals who visited the website, as the page had been set as no-index which meant it would not be indexed by search engines.

Welltok notified the Maine Attorney General about the data breach, which was reported as affecting 1,648,848 individuals. The notification was issued on behalf of the following group of health plans of Stanford Health Care:

  • Stanford Health Care
  • Lucile Packard Children’s Hospital Stanford
  • Stanford Health Care Tri-Valley
  • Stanford Medicine Partners
  • Packard Children’s Health Alliance

The Welltok website notification states it is providing notifications on behalf of Sutter Health, Trane Technologies Company LLC, and group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc. Those entities were not included in the Maine Attorney General notification. Sacramento, CA-based Sutter Health previously confirmed that it was affected by the Welltok data breach and said 845,451 individuals had been affected.

Arkansas-based St. Bernards Healthcare, Inc. separately reported the breach to the Maine Attorney General as affecting 89,556 individuals. Corewell Health, which serves patients in southeast Michigan, was also affected by the Welltok data breach and said approximately 1 million patients had been affected along with around 2,500 Priority Health members. Based on the reports so far, Welltok has notified around 3.5 million individuals that they were affected.

“Yet another stark example of supply chain vulnerabilities being exploited by cybercriminals. For far too long companies who develop software platforms have seen cybersecurity as an expense versus a functionality of doing business. Greater due diligence is necessitated by Virgin Pulse per runtime security and vulnerability management,” Tom Kellermann, SVP of Cyber Strategy at Contrast Security told the HIPAA Journal.

The latest tracking data from the cybersecurity firm Emsisoft shows the Clop hacking group mass exploited the vulnerability to attack at least 2,618 organizations globally, and the personal data of at least 77 million individuals was stolen. Emsisoft said the sectors most affected were education, healthcare, financial and professional services. While the vulnerability was exploited in late May, many organizations have only recently confirmed they were affected and those totals are certain to continue to rise. Many lawsuits have been filed in response to these data breaches, against the organizations affected as well as Progress Software. 58 lawsuits against Progress Software were consolidated into a single class action in Federal court in Massachusetts last month, as each made similar claims. The U.S. Securities and Exchange Commission (SEC) has also launched an investigation into Progress Software over the data breach.

“Once a vulnerability is made public, the hourglass is turned and IT teams have limited time before criminals take advantage of the vulnerability if they haven’t done so already,” Dror Liwer, co-founder of cybersecurity company Coro told the HIPAA Journal “To minimize the risk, removal of impacted software, or patching if available, must be immediate. Every sand grain that falls is an opportunity for the criminals, and an exposure to the organization.”

The post WellTok Data Breach: At Least 3.5 Million Individuals Notified appeared first on HIPAA Journal.

Daviess Community Hospital Investigating Potential Cyberattack

Posted by Steve Alder

Daviess Community Hospital, an Ascension St. Vincent affiliated hospital in Washington, IN, has recently announced that it has launched an investigation after being notified by the U.S. Department of Homeland Security (DHS) about a possible security breach. According to the DHS, a security issue was identified during routine monitoring which may have been exploited by cyber actors.

Hospital CEO, Tracy Conway, said all internal systems have been shut down while the incident is investigated by a third-party digital forensics firm. Conway said no evidence has been found to date to indicate unauthorized access to its network or patient data, and no ransom demand has been received by the hospital. Disruption has been caused due to IT systems being taken offline, including phone lines to outpatient clinics and email, and the hospital has effectively been temporarily non-computerized. As a result, services have been limited until systems are restored and some appointments have been cancelled and will have to be rescheduled. The biggest impact is on radiology, as it is not possible to send images to be read. Conway said they are working around the clock to bring IT systems back online and are prioritizing the radiology and pharmacy interfaces.

Wyoming County Community Health System Reports March 2023 Cyberattack

Wyoming County Community Health System in Warsaw, NY, has recently notified 24,016 patients about a security incident that was detected on March 28, 2023. While not referred to as a ransomware attack, legal counsel for the health system said the attack disrupted its network. The forensic investigation revealed files containing patient information had been exposed and may have been viewed or acquired by unauthorized individuals in the attack.

A review of the files was completed on November 8, 2023, and confirmed they contained information such as names, Social Security numbers, driver’s license or state identification numbers, dates of birth, biometric data, medical information, health insurance information, and account numbers. The health system has implemented additional security measures to prevent similar breaches in the future and has offered affected individuals complimentary credit monitoring and identity theft protection services.

Southland Integrated Services Notifies Patients About October 2023 Cyberattack

Southland Integrated Services (SIS), a Californian community-based non-profit organization that operates a Federally Qualified Health Center, has recently notified certain individuals about the exposure of some of their protected health information. SIS explained in its November 10, 2023, breach notification letters that suspicious activity was detected within its computer systems on October 18, 2023.

The forensic investigation confirmed its systems had been accessed by an unauthorized third party between October 16 and October 18, 2023, and during that time, documents were viewed that contained patient data such as names, addresses, dates of birth, vaccination statuses, Social Security numbers, driver’s license numbers, and/or financial account information. Additional safeguards have been implemented to prevent similar breaches in the future and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The incident has been reported to regulators but is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Daviess Community Hospital Investigating Potential Cyberattack appeared first on HIPAA Journal.

Republicans and Democrats Introduce Bills to Improve Consumer Privacy Protections

Posted by Steve Alder

In the absence of a federal privacy law, it is left to individual states to introduce consumer privacy laws and ensure that companies that collect, process, and sell personal data are adequately protecting that information. While attempts to pass a federal data privacy bill have stalled, Republican and Democratic lawmakers are continuing to push for greater privacy protections for consumers.

Congresswoman Anna Paulina Luna Introduces U.S. Data on U.S. Soil Act

Congresswoman Anna Paulina Luna (R-FL) recently introduced the U.S. Data on U.S. Soil Act, to protect the data security of Americans and prevent their personal information from being exploited by foreign adversaries. It is no secret that foreign countries are attempting to collect and use the personal data of U.S. citizens. In March 2023, the House Committee on Energy and Commerce explored the role that social media, and specifically TikTok, plays in data collection and how the Chinese Communist Party has access to the data of U.S. citizens that is collected by TikTok, through TikTiok’s parent company, ByteDance.

The European Union has a comprehensive data privacy and protection law, the General Data Protection Regulation (GDPR), which protects the rights of individuals and limits the data that can be collected and used by companies such as TikTok, but there is currently no comparable federal privacy and data protection law in the United States, only a patchwork of laws introduced by individual states.

“Americans daily face the threat of exposing their personal data to bad-actor countries who are looking for a chance to exploit us, simply by opening our phones,” said Luna. “The protections in my bill are long overdue. A military leader would never hand over his tactics and intelligence to the enemy on a silver platter, and neither should we. My bill would make sure our adversaries can’t have a free-for-all with our personal lives, national security, and strength as a country.”

The U.S. Data on U.S. Soil Act seeks to prohibit companies such as TikTok from storing the data of any U.S. national in a physical data center that is located within a foreign adversary, including China, Cuba, Iran, North Korea, Russia, and Venezuela. The bill also seeks to prevent government officials in foreign adversary countries from accessing covered data. The bill would set a national minimum standard for data privacy and would not pre-empt state law, ensuring that individual states could implement more stringent data privacy protections. The bill would seek penalties of $50,120 per violation under the Unfair or Deceptive Act under the Federal Trade Commission Act. The bill, which currently has no companion Senate bill, was co-sponsored by Reps. Mary Miller (R-IL), Ralph Norman (R-SC), and George Santos (R-NY)

Democratic Senator Reintroduces Three Data Privacy Bills

U.S. Sen. Catherine Cortez Masto (D-NV) has recently reintroduced three bills that aim at strengthening consumer data privacy protections. The first bill, The DATA Privacy Act, is concerned with improving privacy protections for consumers and ensuring that large tech firms implement data security and privacy protections. The bill would give consumers the right to request, dispute the accuracy, and transfer or delete their personal data without retribution. All data collection, processing, storage, and disclosure would require three standards to be met:

  • The data collected must be reasonable, and for a legitimate business or operational purpose that is contextual and does not subject an individual to unreasonable privacy risk.
  • The data must not be used in a discriminatory way.
  • And businesses must not engage in deceptive data practices.

The DATA Privacy Act would give new authority to state Attorneys General and the Federal Trade Commission (FTC) to impose civil penalties for violations.

Sen Cortez Mastro, along with Sen. Deb Fischer (R-Neb.), reintroduced The Promoting Digital Privacy Technologies Act, which requires the National Science Foundation (NSF) to support research into privacy-enhancing technologies (PET) to help protect consumer data. The bill also calls for the National Institute of Standards and Technology (NIST) to work with academic, public, and private sectors to establish standards for the integration of PET into business and government.

The third bill, like the U.S. Data on U.S. Soil Act, takes aim at the collection, access, and use of consumer data by foreign adversaries, specifically China. The Internet App ID Act aims to improve the digital security of Americans by requiring operators of Internet websites and mobile applications to disclose if the applications being used by consumers have been developed or store data within China, or are under the control of the Chinese Communist Party.

“Big technology companies are collecting massive amounts of Americans’ personal information, from social security numbers to health care data. It’s clear we need stronger privacy laws to make sure this information isn’t shared or sold without consumers’ permission,” said Sen. Cortez Masto. “My bills will hold corporations and foreign actors accountable, protect the data privacy of vulnerable consumers, and ensure that our emerging AI and other innovative technology industries grow responsibly.”

The post Republicans and Democrats Introduce Bills to Improve Consumer Privacy Protections appeared first on HIPAA Journal.