Hackers have stolen the personal data of more than 8.4 million patients from Welltok Inc., a Denver-based company that provides software for healthcare organizations.

Welltok first disclosed the breach in October without sharing the full details of the incident. On Wednesday, it revealed that the hackers had stolen information belonging to some 8,493,379 patients. The company detailed the scope of an incident in notice posted to the U.S. Department of Health and Human Services website.

According to Welltok, the hackers gained access to affected patients’ names, email addresses, home addresses and telephone numbers. The breach also compromised some individuals’ Social Security numbers, Medicare and Medicaid ID numbers, and certain health insurance information. 

Welltok develops software that healthcare organizations such as hospitals use to share information with patients. Additionally, the company provides an application for managing wellness programs. The patient data that the cyberattack compromised was entrusted to Welltok by more than a dozen healthcare organizations that use its software to support their work.

The company detailed that the hackers stole the data by breaching its deployment of MOVEit Transfer, a cloud service organizations use to move data between internal applications. The service was targeted by a large-scale hacking campaign earlier this year. Cybersecurity company Emsisoft Ltd. estimates that the cyberattacks affected more than 2,600 MOVEit Transfer customers, including many healthcare organizations.

The hacking campaign was carried out by Clop, a ransomware group believed to be based in Russia. The cyberattacks exploited a zero-day vulnerability that made it possible to bypass MOVEit Transfer deployments’ authentication mechanism and download their data. Progress Software Inc., the service’s developer, first disclosed the vulnerability in May and uncovered a number of additional cybersecurity flaws a few weeks later.

Progress Software is a Nasdaq-traded company that mainly sells application development tools. It purchased MOVEit Transfer in 2019 through the acquisition of a Burlington, Massachusetts-based enterprise software supplier called Ipswich. The latter company, in turn, obtained MOVEit Transfer service when it bought the service’s original developer in 2008. 

In its breach disclosure, Welltok stated that the hackers gained access to its MOVEit Transfer deployment on June 26. The company claims the cyberattack occurred despite the fact that it had downloaded all the security patches provided by Progress Software. Welltok claims it implemented the updates as soon as they become available. 

The breach at Welltok is the second largest cyberattack involving MOVEit Transfer by the number of people affected. In the largest breach, which affected government services company Maximus Inc., hackers accessed as many as 11 million users’ data. Overall, it’s estimated that the MOVEit Transfer hacking campaign has compromised information belonging to about 62 million people. 

Image: Welltok