Nationwide data breach leaves 1 million Corewell Health patients' information vulnerable
Hannah MackayA national data security breach at a company hired by Corewell Health has impacted the health information of roughly 1 million patients in southeast Michigan, in addition to 2,500 Priority Health members, according to a statement from the health system earlier this month.
The security breach happened in May when an unauthorized actor gained access to data kept by Welltok, a company hired by Corewell Health to provide patient communication services in southeast Michigan. Welltok also provides a health lifestyle portal for Priority Health, Corewell's health insurance plan.
The hackers gained access to Welltok's MOVEit Transfer server, a platform used to exchange files and data, according to a statement from the company. The breach happened on May 30 and data was exfiltrated from the server.
Corewell Health East patient's names, addresses and health insurance identification numbers could have been extracted, according to the health system's statement. Priority Health clients' names, date of birth, email addresses, phone numbers, diagnoses, health insurance information and social security numbers were also vulnerable.
Welltok was alerted to the potential compromise of the server in July, roughly two months after the breach occurred. They launched an investigation and confirmed the hack in August. The hackers had "exploited software vulnerabilities," according to a Welltok statement in October.
Progress Software, the developer of the MOVEit Transfer tool, had previously alerted the public to software vulnerabilities on their server, according to Welltok's statement. They had also developed security upgrades, which were immediately installed by Welltok when they became available. There was no previous indication that any data housed on the server had been compromised, according to Welltok.
The Health and Human Services Office for Civil Rights says that in total, more than 8 million people were impacted by the breach. They have been sent letters by Welltok, although there is no evidence of fraud or identity theft resulting from the hack. Security concerns within the Welltok system have also been resolved, according to Corewell Health.
"The privacy of our patients, health plan members and team members is a top concern," said Corewell Health spokesman Mark Geary on Thursday. "We recently learned our vendor, Welltok, Inc., was affected by the MOVEit cyberattack that involved more than 2,000 organizations earlier this year. Welltok is communicating directly with the individuals whose data was affected by the attack, and credit monitoring is available to all impacted people."
Free credit monitoring for those impacted by the cyberattack is available, and interested individuals can call Welltok’s assistance line at (800) 628-2141. The company also encouraged everyone to stay vigilant for signs of identity theft or fraud.
hmackay@detroitnews.com