Welltok confirms MOVEit data breach after multiple customers report them as source of incident
Welltok, a healthcare platform under Virgin Pulse, has reported that they were impacted by a vulnerability that allowed cyber intruders to harvest personal details from over a million individuals. Welltok, headquartered in Denver, specializes in engaging patients and coordinates with healthcare providers to relay healthcare-related information to users.
The breach was initially discovered after Progress software - the creator of Welltok's MOVEit Transfer server reported a software vulnerability. In July, Welltok believed there was no evidence of a breach, but a subsequent probe in August uncovered that unauthorized parties had indeed extracted certain data from the MOVEit Transfer server.
Personal data compromised includes
The data breach impacted over 1.6 million individuals in total.
At least Sutter Health and St. Bernards in Arkansas, acknowledged that their patient data was involved in the Welltok breach, cumulatively accounting for roughly 1.9 million patients, exceeding the number Welltok originally reported.
Update - as of 23rd November 2023, the impact of the breach is re-estimated and includes institutions in Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois, and Massachusetts:
Welltok reported on the U.S. Department of Health and Human Services breach portal that the data breach has been confirmed to impact 8,493,379 people.