A cybersecurity breach at Welltok Inc., the software company contracted to provide communications services to Corewell Health’s southeastern Michigan facilities, has reportedly affected more than 1 million Michigan residents, Michigan Attorney General Dana Nessel announced.
The names, dates of birth, email addresses, phone numbers, medical diagnoses, health insurance information and Social Security numbers for Corewell patients were compromised in the breach, Nessel said in a release.
In addition, the names, addresses and health insurance identification numbers of 2,500 users of the healthy lifestyle portal for Priority Health, an insurance plan owned by Corewell, were also compromised, according to a statement from the health system earlier this month.
In total, the breach affected nearly 8.5 people nationally.
The attack, which occurred on May 30, exploited software vulnerabilities on the MOVEit Transfer server owned by Virgin Pulse, Welltok’s parent company.
“Health information is some of the most personal information that we have,” said Nessel. “If there was ever data that required heightened cybersecurity measures, it is the information held by the health care sector.
“This kind of breach has occurred too often, and patients deserve to feel confident that their health data is protected in the most robust way possible. My office remains committed to helping Michigan residents keep their data private and secure.”
Corewell said in a statement that,”The privacy of our patients, health plan members and team members is a top concern. We recently learned our vendor, Welltok Inc., was affected by the MOVEit cyberattack that involved more than 2,000 organizations earlier this year.”
Welltok said those affected include people who have received health care or insurance provided by the following companies:
– Asuris Northwest Health
– BridgeSpan Health
– Blue Cross and Blue Shield of Minnesota and Blue Plus
– Blue Cross and Blue Shield of Alabama
– Blue Cross and Blue Shield of Kansas
– Blue Cross and Blue Shield of North Carolina
– Faith Regional Health Services
– Hospital & Medical Foundation of Paris, Inc. dba Horizon Health
– Mass General Brigham Health Plan
– Regence BlueCross BlueShield of Oregon
– Regence BlueShield
– Regence BlueCross BlueShield of Utah
– Regence Blue Shield of Idaho
– St. Bernards Healthcare
– Sutter Health
– Trane Technologies Company LLC and/or group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc.
– The group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance
– The Guthrie Clinic.
According to the HIPAA Journal, this cyberattack marks the fourth-largest health care data breach in the U.S. this year, Nessel said.
The U.S. Department of Health and Human Services reported that data breaches among health care organizations more than doubled from 2019 to 2021. In 2022, at least 28.5 million health care records were breached nationwide, the state attorney general said.
Michigan, in particular, has experienced a surge in health care cyberattacks. In recent months, Nessel recently notified Michigan residents about a ransomware attack affecting 2.5 million McLaren Health Care patients.
The University of Michigan faced a cyberattack in late August, leading to the compromise of personal information, including Social Security numbers, driver’s license or other government-issued ID numbers and medical records.
If Welltok has a valid mailing address on file, the company is mailing a notice letter to individuals whose information is in the affected files.
Anyone who does not receive a notice letter but wants to know if they are affected, or has other questions, may call the Welltok dedicated assistance line at 800-628-2141.
Corewell’s statement said Welltok is providing credit monitoring to those affected.
Welltok officials say their system and security concerns are resolved, and they are not aware of any fraud or identity theft arising from the event, according to a post on Corewell’s website.
Although those affected should receive a notice letter from Welltok, state law does not currently require companies who experience a data breach to share that information with the attorney general.
Nessel’s office often learns about these data breaches through media reports. She strongly recommends the Legislature follow other states and strengthen Michigan’s law requiring companies who experience a data breach to immediately inform the attorney general.
To file a complaint with the attorney general, or get additional information, contact:
Consumer Protection Team:
P.O. Box 30213
Lansing, MI 48909
517-335-7599
Fax: 517-241-3771
Toll-free: 877-765-8388
Go to https://secure.ag.state.mi.us/complaints/consumer.aspx for an online complaint form.