Welltok, a Denver-based patient engagement company under Virgin Pulse, has acknowledged being targeted by the Clop hacking group, exploiting a zero-day vulnerability (CVE-2023-34362) within Progress Software’s MOVEit Transfer tool in May 2023. Around 3.5 million individuals have been notified about their involvement in the data breach, impacting various health plan members.
The company, entrusted with managing communications for health plan providers, employs the MOVEit Transfer tool to facilitate large dataset transfers across the internet. Following a notification from Progress Software on May 31, 2023, regarding a vulnerability, Welltok promptly applied recommended patches and mitigations. Initial investigations suggested their MOVEit Transfer server remained uncompromised.
However, subsequent alerts on July 26, 2023, disclosed an earlier breach of their MOVEit Transfer server, confirmed on August 11, 2023, as an exploitation by the Clop group the day before the patch release. The theft of data was confirmed on August 26, 2023, impacting health plan member data including names, dates of birth, addresses, health details, and for some, Social Security numbers, Medicare/Medicaid IDs, and health insurance specifics.
Welltok’s substitute breach notification, uploaded to their website in October, faced visibility limitations due to a ‘no-index’ setting, potentially limiting its discovery by affected individuals. Notifications were issued on behalf of various health plans, including Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Sutter Health, Trane Technologies Company LLC, St. Bernards Healthcare, Inc., and Corewell Health, affecting a collective 3.5 million individuals.
The breach highlights broader supply chain vulnerabilities, drawing attention to cybersecurity’s critical role in business operations. Tom Kellermann, SVP of Cyber Strategy at Contrast Security, emphasized the need for heightened diligence in runtime security and vulnerability management.
Emsisoft’s tracking data reveals the extensive impact of the Clop group’s exploitation, affecting over 2,618 global organizations and compromising personal data of at least 77 million individuals across education, healthcare, financial, and professional services sectors. The aftermath has seen numerous lawsuits filed against affected organizations, including Progress Software, with 58 lawsuits consolidated into a federal class action in Massachusetts. The U.S. Securities and Exchange Commission (SEC) has initiated an investigation into Progress Software regarding the breach.
Dror Liwer, co-founder of cybersecurity firm Coro, emphasized the critical time frame post-vulnerability disclosure, urging immediate software removal or patching to minimize risks, highlighting the window of opportunity for cybercriminals.