Over 800K impacted by data breach
Yale New Haven Health among health systems affected nationwide via online wellness program
More than 800,000 Connecticut residents had their personal information compromised during a data breach of an online wellness program used by health care providers and businesses, including some Connecticut health systems.
Officials at Welltok, based in Denver, Colorado, notified companies using the program in September of the breach. On Dec. 22, the company began providing written notice to people whose data may have been compromised. That includes 847,356 Connecticut residents, a lawyer for Welltok wrote in a letter to the state Attorney General’s Office.
The breach appeared to take place earlier in the year through a tool Welltok uses called MOVEIT.
“On July 26, 2023, Welltok was alerted to an earlier alleged compromise of its MOVEIT Transfer server in connection with software vulnerabilities made public by the developer of the MOVEIT Transfer tool,” Rebecca Jones, an attorney for Welltok, wrote in a Dec. 22 letter to the Attorney General. “Welltok had previously installed all published patches and security upgrades immediately upon such patches being made available by Progress Software, the maker of the MOVEIT Transfer tool.
“After a full reconstruction of its systems and historical data, the investigation determined on August 11, 2023, that an unknown actor exploited software vulnerabilities, accessed the MOVEIT Transfer server on May 30, 2023, and exfiltrated certain data from the MOVEIT Transfer server during that time. Welltok subsequently undertook an exhaustive and detailed reconstruction and review of the data stored on the server at the time of this incident … Since then, Welltok has been coordinating efforts with the impacted data owner(s) to review and verify the affected information and provide direct notice to impacted individuals.”
Information that may have been breached included names, birth dates, Social Security numbers, treatment information/diagnoses, provider names, patient IDS, health insurance information, and treatment cost information, Jones wrote.
Welltok offered credit monitoring services for 12 to 24 months, depending on state law requirements, through Experian, to people whose personal information may have been impacted, Jones wrote. She could not immediately be reached for comment.
Yale New Haven Health was one of the systems affected by the breach. In late December, Welltok notified Yale patients whose data was compromised.
“Yale New Haven Health was recently made aware that one of our outside vendors had been subject to a data breach,” said Dana Marnane, a spokeswoman for YNHH. “Welltok, a provider of customer relationship management tools, determined that an unauthorized third party had accessed data from MOVEIT – a file transfer program they utilize. The MOVEIT breach has unfortunately affected millions of people at companies around the world. In the case of YNHHS data, no personal financial information such as bank account, social security number nor credit card information was accessed. Welltok is notifying all those impacted and offering free credit monitoring services.”
Marnane did not say how many people in YNHH’S network were affected.
In a letter to Yale New Haven Health patients, Welltok wrote: “On October 25, 2023, Yale New Haven Health learned the scope of the data present on the impacted server at the time of the event. Since then, we have been coordinating efforts with Yale New Haven Health to review and verify the affected information and provide direct notice to impact individuals. … The information contained in the affected files included your name and [patient] ID, date of birth, health insurance information, provider name, treatment cost information, and treatment information or diagnosis. Your Social Security Number and financial information were not affected as a result of this incident.”