The 2023 MOVEit Transfer data breach at Welltok, a patient engagement firm based in Denver, has now impacted over 14.7 million people. This incident is currently the second-biggest healthcare data breach a HIPAA-regulated entity ever reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
As of the most recent statistics update, healthcare data breaches in 2023 had affected considerably more individuals. According to the OCR breach portal, there have been 744 reported healthcare data breaches in 2023, affecting a total of 160,009,510 individuals. The increase in affected individuals is largely due to an updated report on the Welltok breach. Originally, the breach was reported to have impacted 8,493,379 people, but the figure has now been revised to 14,762,475 individuals. This update, which occurred after April 2024, also reveals that at least 165 of Welltok’s healthcare clients were affected by the breach.
Welltok was one of many victims in a widespread cyberattack carried out by the Clop group, which took advantage of a zero-day vulnerability identified in the MOVEit Transfer file transfer solution of Progress Software. Over 2,600 companies worldwide were impacted by the attack. The full extent of the damage from this vulnerability remains unknown, but KonBriefing has estimated that the information of at least 85 million people was stolen in the attacks, with the actual number likely much higher.
Under the HIPAA Breach Notification Rule, HIPAA-covered entities need to report data breaches to the HHS Secretary promptly, or within 60 calendar days after the breach is discovered. However, updating the figures listed in the OCR breach portal is allowed when necessary. When investigations are still ongoing at the time of reporting, entities must provide an estimated number of affected individuals. These estimates can later be updated as more accurate information becomes available. Often, entities will use a placeholder number, such as 500 or 501 affected individuals, if the actual total is still unknown. This was the scenario with the Change Healthcare ransomware attack. A temporary figure of 500 impacted persons was reported, even though the breach might have impacted around one-third of Americans.
