Health activation company Welltok has suffered a breach of its MOVEit Transfer server, exposing the health data of members of several health plan providers.
Welltok, a Virgin Pulse-owned healthcare platform, started notifying millions of individuals impacted in the latest MOVEit data breach. The breach notification letter submitted to the Maine Attorney General reveals that the stolen data includes names, addresses, dates of birth, and health information.
According to the company, the breach impacted data of the group health plans of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance.
“Welltok operates a voluntary online wellness program that encourages healthy lifestyle changes for Stanford and received your information in connection with these services,” the company said.
Like so many other companies, Welltok data was exposed after attackers exploited a zero-day vulnerability in the MOVEit Transfer, which allowed threat actors to download data stored there.
Welltok’s breach notification to Maine’s authorities says the data breach impacted over 1.6 million individuals in total.
While the company doesn’t specify what type of “health information” might have been stored in the compromised servers, individual healthcare data can be sold for hundreds of dollars on dark web forums.
For example, malicious actors can use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to Medicare and other health insurers.
Meanwhile, other personally identifiable information (PII) may be used to commit fraud, from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.
Welltok said it will provide impacted individuals with complimentary credit monitoring services.
Earlier this year, the Russia-linked ransomware cartel Cl0p took credit for the wave of MOVEit Transfer attacks.
According to researchers at Emsisoft, over 2,600 organizations – mainly in the US – and over 77 million individuals have been impacted by the MOVEit attacks so far.
Taking IBM’s estimate, which puts the cost of an average data breach at $165 per leaked record, the impact of Cl0p attacks would add up to a staggering $12.7 billion.