Lansing, MI - A cybersecurity breach at Welltok, Inc., the software company contracted to provide communications services to Corewell Health’s southeastern Michigan properties, has reportedly affected more than one million Michigan residents, Attorney General Dana Nessel announced.
The names, dates of birth, email addresses, phone numbers, medical diagnoses, health insurance information, and Social Security numbers for about one million Corewell Health patients were compromised in the breach. In addition, the names, addresses, and health insurance identification numbers of 2,500 users of the healthy lifestyle portal for Priority Health, an insurance plan owned by Corewell, were also compromised, according to a statement from the health system earlier this month. In total, the breach affected nearly 8.5 people nationally.
The attack, which occurred on May 30, exploited software vulnerabilities on the MOVEit Transfer server owned by Virgin Pulse, Welltok's parent company.
“Health information is some of the most personal information that we have,” said Nessel. “If there was ever data that required heightened cybersecurity measures, it is the information held by the healthcare sector. This kind of breach has occurred too often, and patients deserve to feel confident that their health data is protected in the most robust way possible. My office remains committed to helping Michigan residents keep their data private and secure.”
Welltok has confirmed that those affected include people who have received health care or insurance provided by the following companies:
- Asuris Northwest Health
- BridgeSpan Health
- Blue Cross and Blue Shield of Minnesota and Blue Plus
- Blue Cross and Blue Shield of Alabama
- Blue Cross and Blue Shield of Kansas
- Blue Cross and Blue Shield of North Carolina
- Faith Regional Health Services
- Hospital & Medical Foundation of Paris, Inc. dba Horizon Health
- Mass General Brigham Health Plan
- Regence BlueCross BlueShield of Oregon
- Regence BlueShield
- Regence BlueCross BlueShield of Utah
- Regence Blue Shield of Idaho
- St. Bernards Healthcare
- Sutter Health
- Trane Technologies Company LLC and/or group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc.
- The group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance
- The Guthrie Clinic
According to the HIPAA Journal, this cyberattack marks the fourth-largest healthcare data breach in the U.S. this year. The U.S. Department of Health and Human Services reported that data breaches among healthcare organizations more than doubled from 2019 to 2021. In 2022, at least 28.5 million healthcare records were breached nationwide.
Michigan, in particular, has experienced a surge in healthcare-related cyberattacks. In recent months, Attorney General Nessel notified Michigan residents about a ransomware attack affecting 2.5 million McLaren Health Care patients. Similarly, the University of Michigan faced a cyberattack in late August, leading to the compromise of personal information, including Social Security numbers, driver’s license or other government-issued ID numbers, and medical records.
If Welltok has a valid mailing address on file, the company is mailing a notice letter to individuals whose information was determined to be in the affected files. Anyone who does not receive a notice letter but would like to know if they are affected, or has other questions, may call the Welltok dedicated assistance line at 800-628-2141.
Although potentially impacted individuals should be receiving a notice letter from Welltok, state law does not currently require companies who experience a data breach to share that information with the Department of Attorney General. The Department often learns about these data breaches through media reports. The AG strongly recommends the legislature – similar to many other states – strengthen our law to require companies who experience a data breach to immediately inform the Department of Attorney General. This will allow the Attorney General to more quickly alert the public.
“Michigan simply must catch up to the states that require Attorney General notification of these significant breaches,” added Nessel. “To fulfill our duties of consumer protection and corporate oversight, the Department of Attorney General must be alerted to these breaches, when personal health and identifying information that is so often used to commit identity crimes, is compromised and made unsecure.”
The Department of Attorney General’s Data Breaches: What to do Next alert provides consumers with useful information about what kind of information can be accessed during a data breach.
To file a complaint with the Attorney General, or get additional information, contact:
Consumer Protection Team:
P.O. Box 30213
Lansing, MI 48909
517-335-7599
Fax: 517-241-3771
Toll-free: 877-765-8388
Online complaint form
Your connection to consumer protection is just a click or phone call away. The Department provides a library of resources for consumers to review anytime on a variety of topics.