On November 17, 2023, Welltok, Inc. filed a notice of data breach with the Attorney General of Maine after a vulnerability in the MOVEit file-transfer program resulted in an unauthorized party being able to access confidential information belonging to Stanford Health plan members. In this notice, Welltok explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, addresses, dates of birth, and health information. Upon completing its investigation, Welltok began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you received a data breach notification from Welltok, Inc. discussing information you provided to a Stanford Health group health plan, it is essential you understand what is at risk and what you can do about it. Welltok notes that the incident impacts individuals enrolled in the following plans: Stanford Health Care, Lucile Packard Children's Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children's Health Alliance. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft, as well as discuss your legal options following the Welltok data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breach Affecting Welltok?

The Welltok data breach was only recently announced, and more information is expected in the near future. However, Welltok’s filing with the Attorney General of Maine provides some important information on what led up to the breach. According to this source, on July 26, 2023, Welltok was alerted to a possible data breach involving the MOVEit data breach. However, at the time, Welltok had installed all published patches and security upgrades. Upon completing an investigation, Welltok determined that no data was compromised.

However, after further investigation, on August 11, 2023, Welltok confirmed that an unauthorized party had gained access to its MOVEit server on May 30, 2023. It was also determined that some of these files were removed from Welltok’s MOVEit server.

After learning that sensitive consumer data was accessible to an unauthorized party, Welltok reviewed the compromised files to determine what information was leaked and which consumers were impacted. Welltok completed this process on October 18, 2023. While the breached information varies depending on the individual, it may include your name, address, date of birth, and health information.

The recent Welltok breach affected the following Stanford Health group health plans:

• Stanford Health Care,
• Lucile Packard Children's Hospital Stanford,
• Stanford Health Care Tri-Valley,
• Stanford Medicine Partners, and
• Packard Children's Health Alliance.

On November 17, 2023, Welltok sent out data breach letters to anyone who was affected by the recent data security incident. These letters should provide victims with a list of what information belonging to them was compromised.

More Information About Welltok, Inc.

Welltok, Inc. is a healthcare services and support company as well as a subsidiary of Virgin Pulse. Virgin Pulse is a healthcare software company based out of Providence, Rhode Island. The company is partially owned by Virgin Group, a large multinational venture capital conglomerate based out of London, England. Virgin Pulse employs approximately 2,000 people and generates annual revenue of roughly $385 million.