A security flaw in a file transfer tool used by Welltok, the healthcare platform under Virgin Pulse, led to hackers accessing personal data from over 1.6 million individuals, confirmed by Welltok’s recent data breach notification to Maine’s attorney general.
The breach compromised names, birthdates, addresses, health details, Social Security numbers, Medicare IDs, Medicaid IDs, and health insurance information. Welltok initially dismissed any compromise in July but later confirmed data exfiltration after a second investigation in August.
However, the breach extends beyond Welltok’s initial disclosure. It affected Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, Packard Children’s Health Alliance, Corewell Health, Sutter Health, and St. Bernards. Notably, Corewell Health reported about one million affected patients, Sutter Health over 840,000, and St. Bernards nearly 90,000, far exceeding Welltok’s disclosed numbers.
Interestingly, Welltok’s breach notification webpage was obscured from search engines, making it challenging for affected individuals to find the information.
The incident, linked to the notorious Clop ransomware gang, ranks as one of the year’s largest cyberattacks. Emsisoft estimates over 77 million individuals impacted across 2,600 organizations, predominantly in the United States, with the numbers expected to rise.
Despite inquiries, Welltok has not responded, leaving affected individuals and healthcare providers grappling with the fallout of this expansive breach.