Hackers accessed sensitive health data of more than 8 million Welltok patients


the logos of Virgin Pulse and Welltok on a blue swirling background
Image Credits: Virgin Pulse / Welltok

Hackers accessed the personal data of more than 8 million people by exploiting a security vulnerability in a file transfer tool used by Welltok, the healthcare platform owned by Virgin Pulse.

Welltok, a Denver-based patient engagement company that works with healthcare plans to provide communications to subscribers about their healthcare, first confirmed in a notice published on its website in in late-October that it had suffered a data breach after hackers compromised its MOVEit Transfer server, a system that allows organizations to move large sets of often-sensitive data over the internet.

TechCrunch found that Welltok’s data breach notice includes “noindex” code, which tells search engines to ignore the web page, effectively making it more difficult for affected customers to find the statement by searching for it. It’s not clear for what reason Welltok hid its data breach notification from search engines.

Last week, the company said in a data breach notification filed with Maine’s attorney general that the MOVEit hackers accessed the sensitive data of more than 1.6 million individuals. However, additional healthcare providers that partner with Welltok also confirmed that they had been impacted by the breach, suggesting that more individuals had been affected than the figure stated in Welltok’s disclosure with Maine’s attorney general.

On Thursday, an update to the U.S. Department of Health and Human Services breach portal confirmed that the Welltok breach had impacted more than 8 million individuals in total. This makes the incident the second largest MOVEit breach, after the breach of U.S. government contractor Maximus that impacted 11 million individuals.

As confirmed by Welltok, the compromised data includes individuals’ names, dates of birth, addresses, Social Security numbers, health information, Medicare and Medicaid ID numbers and health insurance information.

The full list of impacted healthcare providers is not yet known.

In its filing with Maine’s attorney general, Welltok said that the breach affected the group healthcare plans of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners and Packard Children’s Health Alliance, which Welltok said it notified on October 18.

Separately, Corewell Health, a provider of healthcare services in southeast Michigan that uses Welltok for patient communication, said in a press release last week that the health information of approximately one million patients, along with around 2,500 Priority Health members, was compromised by Welltok’s breach.

Sutter Health, a nonprofit healthcare provider headquartered in Sacramento, also confirmed that more than 840,000 of its patients were impacted by the Welltok breach.

St. Bernards, an Arkansas-based healthcare provider that uses a patient contact-management platform by Welltok, was also affected, the company said in a statement. In an earlier filing with Maine’s attorney general, Welltok confirmed that the breach impacted almost 90,000 St. Bernards patients.

TechCrunch has asked Welltok for comment, but has not received a response at the time of publication.

According to researchers at cybersecurity firm Emsisoft, the MOVEit mass-hacks — said to be the biggest hacking incident of the year by the number of individuals affected alone — have impacted more than 2,600 organizations to date, the majority of which are based in the United States.

Emsisoft estimates that over 82 million individuals have been impacted so far by the cyberattacks, which have been claimed by the notorious Clop ransomware gang. The true number of affected individuals is expected to be significantly higher as more organizations come forward.

UPDATE, Nov. 22, 14:30 p.m. ET: This article has been updated to include figures from the U.S. Department of Health and Human Services breach portal.

MOVEit, the biggest hack of the year, by the numbers

More TechCrunch

OpenAI is removing one of the voices used by ChatGPT after users found that it sounded similar to Scarlett Johansson, the company announced on Monday. The voice, called Sky, is…

OpenAI is removing ChatGPT’s AI voice that sounds like Scarlett Johansson

Copilot, Microsoft’s brand of generative AI, will soon be far more deeply integrated into the Windows 11 experience.

Microsoft Build 2024: All the AI and hardware products Microsoft announced

Hello and welcome back to TechCrunch Space. For those who haven’t heard, the first crewed launch of Boeing’s Starliner capsule has been pushed back yet again to no earlier than…

TechCrunch Space: Star(side)liner

When I attended Automate in Chicago a few weeks back, multiple people thanked me for TechCrunch’s semi-regular robotics job report. It’s always edifying to get that feedback in person. While…

These 81 robotics companies are hiring

The top vehicle safety regulator in the U.S. has launched a formal probe into an April crash involving the all-electric VinFast VF8 SUV that claimed the lives of a family…

VinFast crash that killed family of four now under federal investigation

When putting a video portal in a public park in the middle of New York City, some inappropriate behavior will likely occur. The Portal, the vision of Lithuanian artist and…

NYC-Dublin real-time video portal reopens with some fixes to prevent inappropriate behavior

Longtime New York-based seed investor, Contour Venture Partners, is making progress on its latest flagship fund after lowering its target. The firm closed on $42 million, raised from 64 backers,…

Contour Venture Partners, an early investor in Datadog and Movable Ink, lowers the target for its fifth fund

Meta’s Oversight Board has now extended its scope to include the company’s newest platform, Instagram Threads, and has begun hearing cases from Threads.

Meta’s Oversight Board takes its first Threads case

The company says it’s refocusing and prioritizing fewer initiatives that will have the biggest impact on customers and add value to the business.

SeekOut, a recruiting startup last valued at $1.2 billion, lays off 30% of its workforce

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender SoLo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

1 day ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says