Welltok’s MOVEit Hack Affects Nearly 8.5 Million, So Far

The hack of a MOVEit server controlled by medical patient communication services provider Welltok has cascaded into a breach affecting nearly 8.5 million individuals, so far.

See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases

In a report filed on Nov. 6 but just recently posted on the Department of Health and Human Services’ Office of Civil Rights HIPAA Breach Reporting Tool website, the Denver-based unit of Virgin Pulse said the MOVEit mass hacking incident has affected the protected health information of more than 8.49 million individuals. Russian-speaking hackers that form the Clop ransomware gang engineered the attack on the widely used file transfer software made by Progress Software in late May. The known scope of the incident continues to spread (see: Known MOVEit Attack Victim Count Reaches 2,618 Organizations).

Security firm Emsisoft now estimates that about 2,636 organizations and nearly 83.3 million individuals have been affected globally by MOVEit hacks.

As of Monday, WellTok said data from two dozen client health plans and related companies has been caught up in the hack of its MOVEit server.

Recent additions to the list of affected Welltok health plan clients include Mass General Brigham Health Plan.

The health insurer said information potentially compromised in Welltok’s MOVEit hack includes name, birthdate, home address, telephone number, email address, last four digits of Social Security number, Medicaid identification number and health insurance information.

The notice does not say how many members were affected.

In recent weeks, Welltok has also acknowledged that its MOVEit hack affected several other health plan clients, including nearly 1.65 million members of the group health plans of Stanford Health Care and a number of its related facilities.

Sutter Health reported on Nov. 3 that it was notifying approximately 845,441 individuals that they had been affected by the incident.

An attorney representing Welltok did not immediately respond to Information Security Media Group’s request for additional details and clarification about the breach.

The HHS OCR website shows that Welltok’s MOVEit hacking incident is the fourth-largest of about 606 major health data breaches reported to U.S. federal regulators so far in 2023.

The MOVEit hack “is likely to not only be one of the largest third-party and direct compromise campaigns but also one that underscores the importance of federal initiatives: secure by design, software bill of materials, and IoT security labeling,” said Mike Hamilton, founder and CISO of security firm Critical Insight.

Covered entities and business associates should be aware of hackers’ accelerated speed in exploiting vulnerabilities, Hamilton said.

“When a vulnerability is identified in an internet-facing application, the race between the application of a patch or the deployment of compensating controls is extremely time-sensitive and should be treated with the same urgency as a security incident to give those activities the greatest priority,” he said.

File transfer, remote access and remote monitoring and management applications all have been repeatedly and aggressively compromised at scale, Hamilton said.

The data exfiltration attacks began around May 27, when the Clop – aka Cl0p – ransomware group began exploiting a zero-day vulnerability that was later designated CVE-2023-34362.

On May 31, Progress Software – MOVEit’s Massachusetts-based vendor – alerted users to the attack campaign and released a patch to fix the flaw.

Welltok said that on July 26, it was alerted “to an earlier alleged compromise of our MOVEit Transfer server in connection with software vulnerabilities made public by the developer of the MOVEit Transfer tool.”

A full reconstruction of Welltok’s systems and historical data by the company’s forensics investigation determined that an “unauthorized actor” had exploited software vulnerabilities, accessing the MOVEit Transfer server on May 30.

Besides the growing tally of breaches involving MOVEit, the Clop ransomware gang also exploited a vulnerability in another popular file transfer software, Fortra’s GoAnywhere application, resulting in dozens of large health data breaches (see: Hackers Hit Secure File Transfer Software Again and Again).