Hackers accessed the personal data of more than 8 million people by exploiting a security vulnerability in a file transfer tool used by Welltok, the healthcare platform owned by Virgin Pulse.
Welltok, a Denver-based patient engagement company that works with healthcare plans to provide communications to subscribers about their healthcare, first confirmed in a notice published on its website in in late-October that it had suffered a data breach after hackers compromised its MOVEit Transfer server, a system that allows organizations to move large sets of often-sensitive data over the internet.
TechCrunch found that Welltok’s data breach notice includes “noindex” code, which tells search engines to ignore the web page, effectively making it more difficult for affected customers to find the statement by searching for it. It’s not clear for what reason Welltok hid its data breach notification from search engines.
Last week, the company said in a data breach notification filed with Maine’s attorney general that the MOVEit hackers accessed the sensitive data of more than 1.6 million individuals. However, additional healthcare providers that partner with Welltok also confirmed that they had been impacted by the breach, suggesting that more individuals had been affected than the figure stated in Welltok’s disclosure with Maine’s attorney general.
On Thursday, an update to the U.S. Department of Health and Human Services breach portal confirmed that the Welltok breach had impacted more than 8 million individuals in total. This makes the incident the second largest MOVEit breach, after the breach of U.S. government contractor Maximus that impacted 11 million individuals.
As confirmed by Welltok, the compromised data includes individuals’ names, dates of birth, addresses, Social Security numbers, health information, Medicare and Medicaid ID numbers and health insurance information.
The full list of impacted healthcare providers is not yet known.
In its filing with Maine’s attorney general, Welltok said that the breach affected the group healthcare plans of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners and Packard Children’s Health Alliance, which Welltok said it notified on October 18.
Separately, Corewell Health, a provider of healthcare services in southeast Michigan that uses Welltok for patient communication, said in a press release last week that the health information of approximately one million patients, along with around 2,500 Priority Health members, was compromised by Welltok’s breach.
Sutter Health, a nonprofit healthcare provider headquartered in Sacramento, also confirmed that more than 840,000 of its patients were impacted by the Welltok breach.
St. Bernards, an Arkansas-based healthcare provider that uses a patient contact-management platform by Welltok, was also affected, the company said in a statement. In an earlier filing with Maine’s attorney general, Welltok confirmed that the breach impacted almost 90,000 St. Bernards patients.
TechCrunch has asked Welltok for comment, but has not received a response at the time of publication.
According to researchers at cybersecurity firm Emsisoft, the MOVEit mass-hacks — said to be the biggest hacking incident of the year by the number of individuals affected alone — have impacted more than 2,600 organizations to date, the majority of which are based in the United States.
Emsisoft estimates that over 82 million individuals have been impacted so far by the cyberattacks, which have been claimed by the notorious Clop ransomware gang. The true number of affected individuals is expected to be significantly higher as more organizations come forward.
UPDATE, Nov. 22, 14:30 p.m. ET: This article has been updated to include figures from the U.S. Department of Health and Human Services breach portal.