Cyber Incident Victim: Corewell Health

On or around May 31, 2023, Virgin Pulse company Welltok, Inc. became aware of and subsequently reported a national data security event. The incident was caused by the exploitation of a vulnerability in the MOVEit file transfer application. Welltok, a provider of patient communication services, utilized this application, and the vulnerability provided the conduit for unauthorized access to its systems. The company provides patient communication services for Corewell Health in Southeast Michigan and also operates a healthy lifestyle portal for Priority Health, which is Corewell Health's health plan. The security event was not an isolated incident affecting a single entity but was part of a broader wave of attacks exploiting the same MOVEit vulnerability across numerous organizations.

The incident impacted a significant number of individuals associated with these healthcare providers. The total number of affected people reached approximately one million patients of Corewell Health in Southeast Michigan. Additionally, the data of about 2,500 members of the Priority Health plan were also compromised in the event. The scope of the impact was substantial due to the nature of the services Welltok provided, which involved handling large volumes of sensitive patient and member information for its healthcare clients.

The types of personal and protected health information exposed in the breach varied between the two affected groups. For the Corewell Health patients, the compromised data was particularly sensitive and comprehensive. The information accessed included full names, dates of birth, email addresses, phone numbers, diagnosis information, health insurance details, and Social Security numbers. This combination of data elements created a high risk for potential identity theft and fraud for these individuals. For the Priority Health members, the scope of exposed information was different, though still significant. The data involved for these individuals included their names, addresses, and health insurance identification numbers.

Following the discovery and containment of the security event, Welltok undertook a notification process. The company sent individual letters via postal mail to all impacted individuals to inform them of the situation. These letters detailed the nature of the incident, the specific types of their personal information that were involved, and the steps Welltok was taking in response. To address concerns and provide a direct channel for information, Welltok also established a dedicated assistance line. This toll-free number, 800-628-2141, was set up to field questions from concerned individuals and to provide them with additional information on the potential impact of the breach on their personal data.

As a remedial measure, Welltok offered free credit monitoring and identity protection services to everyone whose information was impacted by the event. This offer was extended to all one million Corewell Health patients and the 2,500 Priority Health members. The purpose of this offering was to help detect any potential misuse of the stolen information and to mitigate the risk of financial harm or identity theft for the affected individuals. Welltok officials publicly stated that their system and the specific security concerns related to this MOVEit exploitation event had been resolved. Furthermore, the company reported that it was not aware of any actual instances of fraud or identity theft that had arisen from the incident at the time of their notification. Corewell Health itself subsequently reported that no fraudulent activity stemming from this event had been detected. The incident was attributed to an external vulnerability in a third-party software product rather than a direct breach of the healthcare system's own internal networks.