Cyber Incident Victim: WellDyneRx
Date:
Oct 2021
Location:
United States of America
Summary
WellDyneRx experienced unauthorized access to an email account over a multi-week period, potentially exposing varied personal and medical information. While no evidence confirmed data theft, the pharmacy benefits provider acknowledged possible compromise of sensitive details including names, Social Security numbers, dates of birth, treatment histories, prescription data, health insurance information, and contact details. The breach investigation revealed uncertainties about whether attackers accessed or exfiltrated individually identifiable patient records stored within the affected email system.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
WellDyneRx, LLC, a Florida-based pharmacy benefits service provider, detected unauthorized access to an email account during an investigation initiated on December 2, 2021. The subsequent forensic analysis revealed that the unauthorized access occurred between October 30, 2021, and November 11, 2021. While the company found no direct evidence that individually identifiable information within the compromised email account was accessed or exfiltrated by unauthorized actors, WellDyne explicitly stated it could not rule out this possibility. The types of data potentially exposed varied by individual but encompassed sensitive personal, medical, and insurance information. Specific elements at risk included full names, dates of birth, Social Security numbers, driver’s license numbers, treatment details, health insurance policy information, contact information, prescription records, and broader medical or health-related data. WellDyne disclosed these findings publicly through a press release issued on May 6, 2022, nearly six months after the initial detection of the incident. The breach timeline indicated a 13-day window of unauthorized email access prior to detection, with no mention of how the intrusion was initially identified or whether multi-factor authentication protected the affected account. The company did not specify the number of individuals potentially impacted by the email compromise or describe any technical containment measures implemented following the discovery.
The potential compromise of Social Security numbers, driver’s license details, and medical treatment history created significant risks of identity theft, medical fraud, and targeted phishing campaigns against affected individuals. Exposure of prescription information and diagnosis history heightened concerns about medical privacy violations and potential discrimination. WellDyne’s public notification emphasized the variability in exposed data elements per individual but did not provide a mechanism for individuals to confirm whether their specific data was accessed. No evidence of actual misuse of personal information was reported at the time of disclosure. The company’s response appeared limited to investigative findings and public notification, with no mention of complimentary credit monitoring, identity protection services, or regulatory penalties in the disclosed information. The 178-day gap between detection (December 2, 2021) and public disclosure (May 6, 2022) suggested a prolonged investigation period without interim notifications to potentially affected parties. The breach’s confinement to a single email account implied a relatively contained incident compared to full network compromises, though the sensitivity of the data involved amplified its severity. WellDyne’s acknowledgment of uncertainty regarding data access underscored the challenges in definitively assessing breach impacts within email-based incidents.