Cyber Incident Victim: Welltok

Welltok, a data-driven enterprise SaaS company operating within the healthcare sector, experienced a significant cybersecurity incident that was publicly disclosed on May 31, 2023. The company provides a consumer activation platform utilized by health plans, employers, providers, and public entities to connect individuals with personalized health improvement resources. This platform handles substantial volumes of sensitive consumer data as part of its operations to optimize health and wellbeing engagement. The incident involved unauthorized access to its systems by an external threat actor. The specific initial attack vector and the exact date of the initial intrusion were not detailed in the public disclosure from the company on that date.

The breach impacted the MOVEit Transfer server, a third-party file transfer tool utilized by Welltok for data management and exchange purposes. The threat actor exploited a previously unknown vulnerability within the MOVEit software to gain unauthorized access to the server. This vulnerability, a zero-day, allowed the attackers to execute remote code and exfiltrate data from the environment. The exploitation of this vulnerability was part of a broader campaign targeting numerous organizations globally that utilized the MOVEit Transfer application. The attackers were able to access and acquire files containing protected health information and other personal data stored on the compromised server.

The data exfiltrated from Welltok's systems included a wide range of sensitive consumer information. The compromised data elements consisted of full names, addresses, email addresses, phone numbers, health plan membership information, and Social Security numbers. The incident affected a substantial number of individuals whose data was being managed through the Welltok platform on behalf of its clients, which include various health plans and other healthcare entities. The total number of affected individuals was not specified in the initial disclosure but was later confirmed to be over 8.5 million across multiple healthcare organizations that were clients of Welltok.

Upon discovery of the suspicious activity, Welltok initiated its incident response protocols. The company took immediate steps to contain the incident by taking the affected MOVEit Transfer server offline to prevent further unauthorized access. Welltok engaged third-party cybersecurity experts to conduct a comprehensive forensic investigation to determine the scope and impact of the breach. The investigation aimed to identify the specific files accessed and the individuals whose information was involved. Law enforcement agencies were also notified of the incident. Welltok worked in coordination with the software vendor, Progress Software, to apply all necessary security patches and remediate the vulnerability that had been exploited.

Welltok began the process of notifying its affected clients and the broader public of the security incident. The company issued a public statement on its website on May 31, 2023, to disclose the breach. Individual notifications were sent to the organizations that utilized its services, and Welltok committed to working with these clients to facilitate direct notification to the impacted consumers. The company also arranged for the provision of complimentary credit monitoring and identity protection services to all affected individuals as a measure to mitigate potential harm resulting from the exposure of personal information. The breach at Welltok was one of the most significant incidents stemming from the widespread MOVEit campaign, highlighting the substantial supply chain risk posed by vulnerabilities in commonly used enterprise software. The incident had operational and financial repercussions for Welltok and its partners, necessitating a large-scale response effort to address consumer concerns and regulatory obligations.