Nationwide Healthcare Data Breach: Protecting Patient Information: Investigating the Breach and Identifying Measures for Safeguarding Sensitive Medical Data

Introduction

In recent news, a nationwide healthcare data breach has impacted millions of patients across the country, including individuals in the Brazos Valley. Welltok, a Colorado-based healthcare platform, discovered unauthorized access to their MOVEit Transfer server, compromising sensitive patient information. While there is no evidence of misuse, it is essential for affected individuals to take proactive steps to protect their personal information. This article provides a comprehensive overview of the data breach, the information that may have been compromised, and the actions individuals can take to safeguard their data.

What Happened?

Welltok first became aware of the potential compromise on July 26, 2023, when they were alerted to software vulnerabilities in their MOVEit Transfer server. Despite having installed all published patches and security upgrades promptly, an unauthorized actor exploited these vulnerabilities on May 30, 2023. The breach resulted in the exfiltration of certain data from the server.

After an extensive investigation conducted by third-party cybersecurity specialists, Welltok confirmed the presence of data related to certain individuals on the impacted server. The compromised information may include names, addresses, phone numbers, email addresses, and, in some cases, more sensitive data such as social security numbers, Medicare or Medicaid ID numbers, and specific health insurance information. It is important to note that Welltok has not found any indication of misuse of this information thus far.

Organizations Impacted

Welltok is providing notice to impacted individuals on behalf of numerous organizations, including:

• Altru

• Asuris Northwest Health

• Baylor Scott & White Health

• BridgeSpan Health

• Blue Cross and Blue Shield of Massachusetts

• Blue Cross and Blue Shield of Minnesota and Blue Plus

• Blue Cross and Blue Shield of Alabama

• Blue Cross and Blue Shield of Kansas

• Blue Cross and Blue Shield of North Carolina

• Centerwell Pharmacy

• CHI Health – NE

• CHI Memorial – TN

• CHI Memorial – GA

• CHI Mercy Health

• CHI St. Joseph Health

• CHI St. Luke’s Health Brazosport

• CHI St. Luke’s Health Memorial

• CHI St. Vincent

• Community Health Network

• Corewell Health

• Ella EM Brown Charitable Circle dba Oaklawn Hospital

• EmblemHealth Plan, Inc.

• EmblemHealth Insurance Company

• Faith Regional Health Services

• Health Insurance Plan of Greater New York

• Highmark Inc.

• Highmark Blue Cross Blue Shield Delaware

• Highmark Blue Cross Blue Shield West Virginia

• Highmark Blue Cross Blue Shield of Western New York

• Highmark Blue Shield Northeastern New York

• Holzer Health System

• Horizon Blue Cross Blue Shield of New Jersey

• Hospital & Medical Foundation of Paris, Inc. dba Horizon Health

• Humana Inc.

• Marshfield Clinic Health System

• Mass General Brigham Health Plan

• Mercy Med Ctr Des Moines-IA

• MercyOne Newton Med Ctr-IA (Skiff)

• Mercy Med Ctr W Lakes Des Moines-IA

• Mercy Med Ctr Centerville-IA

• MercyOne IA Heart Des Moines-IA

• Optum Specialty Pharmacy

• Optum OrthoNet

• Optum AppleCare Medical Group

• Priority Health

• Regence BlueCross BlueShield of Oregon

• Regence BlueShield

• Regence BlueCross BlueShield of Utah

• Regence Blue Shield of Idaho

• St. Alexius Health

• St Anthony Hospital

• St. Bernards Healthcare

• St Joseph Health

• St. Luke’s Health

• Sutter Health

• ThedaCare, Inc.

• Trane Technologies Company LLC and/or group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc.

• Trinity Health System

• The group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance

• The Guthrie Clinic

• Virginia Mason Franciscan Health

• West Virginia University Health System

• Yale New Haven Health

Information Impacted

The compromised data may vary for each individual. However, the following types of information may have been involved:

• Name and address

• Telephone number

• Email address

• Social Security Numbers (for a small group of impacted clients)

• Medicare/Medicaid ID Numbers (for a small group of impacted clients)

• Health Insurance information such as plan or group name (for a small group of impacted clients)

• Certain health information such as provider name, prescription name, or treatment code (for certain individuals)

Welltok’s Response and Actions

Welltok takes the privacy and security of personal information very seriously. Upon discovery of the breach, they immediately initiated an investigation and engaged third-party cybersecurity specialists to assist in the process. Welltok is committed to enhancing their existing policies and procedures related to data privacy to reduce the likelihood of similar incidents in the future.

To ensure affected individuals receive necessary information, Welltok is sending notification letters to those with valid mailing addresses. Additionally, they are offering credit monitoring and identity protection services to impacted individuals. Welltok is also notifying relevant regulatory authorities as part of their commitment to transparency and compliance.

How to Determine if You Are Affected?

Welltok is mailing notice letters to individuals whose information was present on the affected server. If you do not receive a letter but suspect that you may be affected, you can call Welltok’s dedicated assistance line at 800-628-2141. Representatives are available Monday through Friday, from 6:00 a.m. to 8:00 p.m. Pacific Time, and on weekends (Saturday and Sunday) from 8:00 a.m. to 5:00 p.m. Pacific Time, excluding major U.S. holidays.

Protecting Yourself from Identity Theft and Fraud

While there is no evidence of misuse of the compromised information, it is crucial to remain vigilant against identity theft and fraud. Here are some steps you can take to protect your personal information:

• Review Account Statements: Regularly review your account statements and explanation of benefits forms for any suspicious activity. Report any discrepancies or unauthorized transactions immediately to the relevant financial institutions or healthcare providers.

• Monitor Credit Reports: Obtain your free credit reports annually from each of the three major credit reporting bureaus (Equifax, Experian, and TransUnion). Monitor these reports for any unusual activity or errors. You can request a free credit report at www.annualcreditreport.com or by calling 1-877-322-8228.

• Fraud Alerts: Consider placing a fraud alert on your credit file. An initial fraud alert lasts for one year and requires businesses to verify your identity before extending new credit. If you are a victim of identity theft, you can request an extended fraud alert that lasts for seven years.

• Credit Freezes: Another option is to place a credit freeze on your credit report. This restricts access to your credit information, making it difficult for fraudsters to open new accounts in your name. Keep in mind that a credit freeze may delay or interfere with legitimate credit applications.

• Stay Informed: Educate yourself about identity theft, fraud alerts, and credit freezes. Familiarize yourself with your rights under the Fair Credit Reporting Act (FCRA) and the steps you can take to protect your personal information. The Federal Trade Commission (FTC) provides valuable resources on their website (www.identitytheft.gov).

• File Complaints: If you believe your information has been misused, file a complaint with the FTC and local law enforcement. You may also contact your state Attorney General’s office to report instances of known or suspected identity theft.

Additional Information

For residents of specific states, here is additional contact information:

• District of Columbia: District of Columbia Attorney General – 400 6th Street, NW, Washington, DC 20001; 1-202-727-3400; oag.dc.gov.

• Maryland: Maryland Attorney General – 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-410-528-8662 or 1-888-743-0023; https://www.marylandattorneygeneral.gov/.

• New Mexico: Review your rights under the Fair Credit Reporting Act and contact the New Mexico Attorney General’s office for further assistance.

• New York: New York Attorney General – Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; https://ag.ny.gov/.

• North Carolina: North Carolina Attorney General – 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; www.ncdoj.gov.

• Rhode Island: Rhode Island Attorney General – 150 South Main Street, Providence, RI 02903; 1-401-274-4400; www.riag.ri.gov.

Conclusion

The nationwide healthcare data breach has raised concerns about the security and privacy of patient information. Welltok is taking significant measures to address the issue, notify affected individuals, and offer support and resources. By remaining vigilant and proactive, individuals can protect themselves from potential identity theft and fraud. Regular monitoring of accounts and credit reports, along with the implementation of fraud alerts or credit freezes, can help mitigate the risks associated with this breach.