Welltok confirms MOVEit data breach after multiple customers report them as source of incident

published: Nov. 20, 2023

Learn More

Welltok, a healthcare platform under Virgin Pulse, has reported that they were impacted by a vulnerability that allowed cyber intruders to harvest personal details from over a million individuals. Welltok, headquartered in Denver, specializes in engaging patients and coordinates with healthcare providers to relay healthcare-related information to users.

The breach was initially discovered after Progress software - the creator of Welltok's MOVEit Transfer server reported a software vulnerability. In July, Welltok believed there was no evidence of a breach, but a subsequent probe in August uncovered that unauthorized parties had indeed extracted certain data from the MOVEit Transfer server.

Personal data compromised includes

  • names,
  • birth dates,
  • physical addresses,
  • health-related information
  • Social Security numbers
  • various insurance details.

The data breach impacted over 1.6 million individuals in total.

At least Sutter Health and St. Bernards in Arkansas, acknowledged that their patient data was involved in the Welltok breach, cumulatively accounting for roughly 1.9 million patients, exceeding the number Welltok originally reported.

Update - as of 23rd November 2023, the impact of the breach is re-estimated and includes institutions in Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois, and Massachusetts:

  • Blue Cross and Blue Shield of Minnesota and Blue Plus
  • Blue Cross and Blue Shield of Alabama
  • Blue Cross and Blue Shield of Kansas
  • Blue Cross and Blue Shield of North Carolina
  • Corewell Health
  • Faith Regional Health Services
  • Hospital & Medical Foundation of Paris, Inc. dba Horizon Health
  • Mass General Brigham Health Plan
  • Priority Health
  • St. Bernards Healthcare
  • Sutter Health
  • Trane Technologies Company LLC and/or group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc.
  • The group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance
  • The Guthrie Clinic

Welltok reported on the U.S. Department of Health and Human Services breach portal that the data breach has been confirmed to impact 8,493,379 people.

Welltok confirms MOVEit data breach after multiple customers report them as source of incident