Cyber Incident Victim: Corewell Health

A Virgin Pulse company, Welltok, Inc., notified individuals across the United States of a national data security event. This incident was caused by the exploitation of a vulnerability in a third-party file transfer tool, MOVEit. The public notification regarding this event was made by Corewell Health on May 31, 2023. Welltok provides specific services to Corewell Health and its health plan, Priority Health. For Corewell Health in Southeast Michigan, Welltok operates as a provider of patient communication services. For Priority Health, Welltok maintains and operates a healthy lifestyle portal for its members.

The security event resulted in the unauthorized access and exfiltration of sensitive personal and health information. The data impacted varied between the two affected groups. For approximately one million patients of Corewell Health in Southeast Michigan, the compromised information was extensive and highly sensitive. It included full name, date of birth, email address, phone number, diagnosis information, health insurance details, and Social Security number. For approximately 2,500 members of Priority Health, the scope of impacted data was more limited, consisting of name, address, and health insurance identification number.

Welltok, as the entity directly responsible for the compromised systems, undertook the process of notifying all impacted individuals. The company sent formal letters by mail to every person whose information was involved in the data security event. These letters detailed the nature of the incident and the specific types of personal information that were exposed. Welltok also established a dedicated assistance line to field questions and provide additional information to concerned individuals. This toll-free number, 800-628-2141, was made available for those seeking to understand the potential impact on them personally.

In response to the breach and the risk it posed to those affected, Welltok offered a remediation service to all impacted individuals. The company provided free credit monitoring services to every patient and member whose data was accessed. This offering was intended to help individuals detect any potential misuse of their personal information, particularly their Social Security numbers and other financial identifiers. The company publicly stated that their internal system and security concerns related to this specific event had been resolved. Furthermore, Welltok officials reported that they were not aware of any instances of actual fraud or identity theft that had arisen as a direct consequence of this data security incident.

The incident was a direct result of a widespread vulnerability affecting the MOVEit file transfer application, a tool used by countless organizations globally. This vulnerability was exploited by malicious actors to gain unauthorized access to systems and data. Welltok's use of this third-party software was the point of entry for the attackers, leading to the compromise of the data they held on behalf of Corewell Health and Priority Health. The event is characterized as a third-party data breach, where the attack occurred within the vendor's infrastructure rather than within the health system's own direct network environment. The public announcement from Corewell Health served to inform its patients and members about the event, its scope, and the response actions being taken by its business associate, Welltok. The health system itself reported that no fraudulent activity stemming from the incident had been detected.