- U.S. States Warm, But Not As Expected
- Rovner Recaps Medicaid Cuts’ Impact on Hospitals and Fields Caller Questions on Affordability
- CMS proposes mandatory hospital-bundled model for joint replacements
- CMS proposes mandatory hospital-bundled model for joint replacements
- CMS proposes mandatory hospital-bundled model for joint replacements
- CMS pitches 2.4% hospital pay bump, mandatory joint replacement model: 7 things to know
- CMS pitches 2.4% hospital pay bump, mandatory joint replacement model: 7 things to know
- Mayo Clinic enhances imaging test with AI
- Christus Health to open Texas multi-specialty clinic
- CMS proposes extension of prior authorization rule to cover drugs: 6 notes
- Penn Medicine, Epic lean into EHR ‘nudges’
- AdventHealth breaks ground on $27M freestanding ER
- Henry Ford hospital strike enters 7th month: 6 notes
- Texas launches rural hospital leadership academy
- Children’s Minnesota staff email account compromised
- UHS’ CEO-to-worker pay ratio over the past 5 years
- 11 things to know about the uninsured population: KFF
- Medicaid’s consistency problem in dentistry
- Dental groups seek $600M+ in FY 2027 federal budget: 5 notes
- Missouri dental school grows student body by 33% to combat dentist shortages
- Prior authorization by the numbers: 10 stats that show the strain
- The Trump Administration Is Seeking Federal Workers’ Sensitive Medical Data. That’s Raising Alarms.
- 5 new university programs tackling behavioral health workforce gaps
- How Mount Sinai is transforming its revenue cycle
- Hospital revenue cycle teams evolve as AI ‘arms race’ heats up
- Texas Children’s gets $5M gift for behavioral health services
- Cardiology malpractice cases by the numbers
- Texas Children’s receives $5M estate gift for behavioral health
- CMS proposes 2.4% hospital pay increase, nationwide mandatory model rollout
- Which physician specialty is most likely to have a salaried paycheck?
- 20+ dental education updates to know from Q1
- Proposed CMS rule would set prior auth deadlines for drugs
- The best orthopedic ASCs in the West: US News
- 4 clinics closing after physician owner sentenced for selling recalled medical devices as new
- The hospitals, health systems cutting jobs in 2026
- VA program deploys 700+ VR ‘mental wellness’ kits
- The cost of private equity firms owning residential SUD facilities: 4 things to know
- 10 highest, lowest-paying physician specialties
- Independent GI practices shrinks as reimbursements fall 38% over a decade
- HHS, after legal setback, updates ACIP charter to put more emphasis on vaccine safety
- HHS, after legal setback, updates ACIP charter to put more emphasis on vaccine safety
- New York system to open $12M outpatient imaging center
- Costco Recalls Cookies Over Missing Nut Allergy Warning
- CDC Pauses Release of COVID Vaccine Effectiveness Study
- Pharma company withdraws FDA application amid White House autism treatment push
- UCI Health reverses layoffs of 7 quality improvement workers
- Endoscopy at scale: The reprocessing best practices separating high-performing teams
- 30 hospitals closing departments or ending services
- Demand Surge Leads to Shortages of Estrogen Patches
- What to know about the fastest-growing DSO
- 4 DSOs making headlines
- Statement Regarding Staff No-Action Letter to Bank of England
- Op-ed: Administrative fragility is costing healthcare more than we think
- Alaska city opens addiction treatment microunit program
- Title X Funding Restored, but New Rules Raise Concerns
- Function Health acquires mobile healthcare platform Getlabs to provide members with at-home lab tests
- The Healthcare Burnout Backlash (pt 3): How Workflow Redesign Is Helping Healthcare Organizations Offset Staffing Shortages
- The Healthcare Burnout Backlash (pt 3): How Workflow Redesign Is Helping Healthcare Organizations Offset Staffing Shortages
- BD Announced Application of CE Mark for the Liverty TIPS Stent Graft
- BD Announced Application of CE Mark for the Liverty TIPS Stent Graft
- Blackstone and TPG Complete Acquisition of Hologic; Names New CEO
- Blackstone and TPG Complete Acquisition of Hologic; Names New CEO
- Endospan Receives FDA Approval for the NEXUS Aortic Arch Stent Graft System
- Endospan Receives FDA Approval for the NEXUS Aortic Arch Stent Graft System
- InVera Medical Receives FDA Clearance for Non-Thermal Chronic Venous Disease Device
- InVera Medical Receives FDA Clearance for Non-Thermal Chronic Venous Disease Device
- Starting material sourcing bottlenecks increase US drug shortage risks: report
- Novartis cuts 114 more jobs at New Jersey HQ as restructuring rolls on
- Charles River flows into Boston to help AHA bridge cardiovascular health divide
- Your Brain Cares If Your Plant-Based Diet Is Unhealthy, Researchers Report
- Your Neighborhood Might Help Make You Old Before Your Time
- Heavy 'Forever Chemical' Exposure Before Birth Increases Childhood Asthma Risk, Study Finds
- High-Tech Magnets Offer New Hope for Veterans Battling Combat PTSD
- Early Diagnosis Key To ADHD Child's Academic Success, Study Finds
- Study Reveals Who Americans Think Should Pay for Elder Care
- Envision hires ConcertAI, IQVIA alum Nick Jones as its med comms president
- The top 10 pharma R&D budgets of 2025
- Watch: As AI Makes More Health Coverage Decisions, the Risks to Patients Grow
- For Many Patients Leaving the ICU, the Struggle Has Only Just Begun
- Bial launches ‘Dialogues with Parkinson’s’ campaign aimed at identifying early symptoms
- Novartis pumps up community health footprint to tackle heart disease and cancer
- Abbott survey finds ‘information overload, confusion and cost’ affecting health choices in US
- FDA accuses Amneal, BioCorRx of producing ‘false and misleading’ drug promos
- North Carolina provider launches mobile opioid treatment unit
- U of Pittsburgh debuts online infant mental health certificate
- Emerging DSO lands Ohio partnership
- Heartland Dental added 5 de novos in March
- Florida International U, medical school land $30M gift for medical center
- Stanford Health, Alameda Health System partner to support California hospital
- The states with the highest, lowest migration rate of dentists since 2019
- What the Health? From KFF Health News: Abortion Pills, the Budget, and RFK Jr.
- Specialty DSO eyes new growth levers after entering several states
- Hospital M&A roars back to life in Q1 2026; Operating performances fray in February
- Epic rolls out health alerts to flag rising rates of illness at the county level
- Fierce Pharma Asia—Takeda-Denali split-up; Merck, Zhifei's revised deal; Shionogi's made-in-US plan
- Brain Scans Reveal How Psychedelics Change Perception
- Benefits leaders report increased operational, financial costs amid 'digital health vendor sprawl': Solera survey
- Vanda initiates study of motion sickness drug Nereus in GLP-1 users
- Judge Allows Abortion Pill, Mifepristone, To Continue Being Mailed for Now
- Bangladesh Measles Outbreak Kills 100+ Kids, Emergency Shots Begin
- Regulatory burdens continue to mount for physician practices
- Medicare navigation company Chapter banks $100M series E funding round
- Hair Growth Product, Tuymec Minoxidil Hair Growth Kits, Recalled Over Child Poisoning Risk
- Garda snaps up Assertio and chemo infection treatment Rolvedon in $125M deal
- AbbVie challenges 'outdated' 340B drug discount program guidance in new lawsuit
- AbbVie challenges 'outdated' 340B drug discount program guidance in new lawsuit
- Eli Lilly launches oral GLP-1 drug across US through Lilly Direct, telehealth providers
- Humana, Noom and Welldoc team up with b.well to expand health data access as part of CMS push
- America's Sexual Health Report Card Contains Some Surprises
- Years of Excess Weight, Not One Bad Checkup, Drive Heart Disease Risk
- There Are No Good Ways To Avoid Childhood Eczema But Many Treatment Options
- More Children, Teens At Risk From E-Scooter Crashes, Study Finds
- This Treatment Can Improve Your Odds Of Surviving C. Diff Infection
- Alzheimer’s Tests May Mask Risks for Women
- RFK Jr. launching health podcast to expose ‘hypocrisy’ and ‘corruption’
- RFK Jr. launching health podcast to expose ‘hypocrisy’ and ‘corruption’
- Advocate Health improves to 4% operating margin, $4.6B bottom line across 2025
- States Face Another Challenge With Medicaid Work Rules: Staffing Shortages
- Farm Bureau Health Plans Beat the ACA on Prices With an Age-Old Tactic: Rejecting Sick People
- Avalyn plans IPO to fund phase 3 trials of inhaled versions of approved respiratory drugs
- Judge rules that HHS must face states' lawsuit over RFK Jr.'s agency overhaul, massive layoffs
- Judge rules that HHS must face states' lawsuit over RFK Jr.'s agency overhaul, massive layoffs
- Consumers' satisfaction with health plan apps improves with familiarity: JD Power
- Nurses' job satisfaction stumbles after post-pandemic gains: survey
- Amazon launches 2 new digital health partnerships for nutrition therapy, sleep care in health conditions program
- Former NFL Star Steve McMichael Diagnosed With CTE After His Death
- Steven Ubl set to depart after more than a decade as CEO of PhRMA
- Nixing prior auth, outlier hospital bills could lower health costs, Center for American Progress' policy plan says
- Shionogi nabs initial $119M award from BARDA to establish US antibiotic plant
- More Drugmakers Join TrumpRx
- Graco Recalls Infant Car Seats Over Structural Issue
- Orlando Health fleshes out Alabama footprint with another acquisition
- US adults still turn to providers for accurate health information even as AI chatbot use grows: Pew survey
- Pfizer walks away from 'underutilized' office space in South San Francisco, transitions employees to remote roles
- Biogen settles investor lawsuit over its messaging on failed Alzheimer's drug Aduhelm
- Digital health startups raked in $4B during Q1 with 12 megadeals driving investment: Rock Health
- New Cervix-On-A-Chip May Revolutionize STI Treatment
- The Flu Vaccine Can Lower Your Risk Of Heart Attack And Stroke — Even If You Wind Up Infected
- Long COVID Linked to Heart Health Risks
- Herbal Drug Kava Poses Increasing Health Threat In U.S., CDC Warns
- Preschoolers' Solitary Screen Time Could Mean Behavior Problems, Language Difficulties Later On
- Combo Heat Waves/Droughts Will Affect Billions A Year By 2100, Researchers Project
- Amgen CEO netted $24.7M pay package in ‘25 as company’s upward trajectory continued
- J&J's Tremfya retakes TV drug ad spending crown from AbbVie
- Trump’s Personnel Agency Is Asking for Federal Workers’ Medical Records
- Urgent Care Clinics Move To Fill Abortion Care Gaps in Rural Areas
- FDA Approves First Generic Farxiga (dapagliflozin) Tablets
- Reliance on EHR vendors' tech roadmap slows down AI progress, senior IT leaders say
- ¿Puedo decirle a mi médico que no quiero que use la inteligencia artificial para tomar notas?
- Remarks at the Texas Stock Exchange Event: Welcome to the Boom Belt: A Return to First Principles in Public Markets
More than one million Michiganders' data were were stolen in a cybersecurity breach at a Corewell Health contractor, Welltok, Inc. About 8 million Americans' records in total were exposed in this breach.
Welltok is an SaaS (software as a service) company which provides communication services for Corewell Health's southeastern Michigan operations and a portal for Priority Health, among many other healthcare companies across America.
Welltok data breach exposes data of 8.5 million US patients
By Bill Toulas - November 22, 2023Healthcare SaaS provider Welltok is warning that a data breach exposed the personal data of nearly 8.5 million patients in the U.S. after a file transfer program used by the company was hacked in a data theft attack.
Welltok works with health service providers across the U.S., maintaining online wellness programs, holding databases with personal patient data, generating predictive analytics, and supporting healthcare needs like medication adherence and pandemic response.
Earlier this year, the Clop ransomware gang exploited a zero-day vulnerability in the MOVEit software to breach thousands of organizations worldwide, following up with extortion demands and data leaks impacting over 77 million people.
Welltok published a notice of a data incident in late October, warning that its MOVEit Transfer server was breached on July 26, 2023. This occurred despite applying the security updates as soon as those were made available by the vendor.
Patient data was exposed during the breach, including full names, email addresses, physical addresses, and telephone numbers. For some, it also includes Social Security Numbers (SSNs), Medicare/Medicaid ID numbers, and certain Health Insurance information.
The impact of the breach impacted institutions in various states, including Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois, and Massachusetts, with the following healthcare providers said to be impacted:
- Blue Cross and Blue Shield of Minnesota and Blue Plus
- Blue Cross and Blue Shield of Alabama
- Blue Cross and Blue Shield of Kansas
- Blue Cross and Blue Shield of North Carolina
- Corewell Health
- Faith Regional Health Services
- Hospital & Medical Foundation of Paris, Inc. dba Horizon Health
- Mass General Brigham Health Plan
- Priority Health
- St. Bernards Healthcare
- Sutter Health
- Trane Technologies Company LLC and/or group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc.
- The group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance
- The Guthrie Clinic
Initial estimates about the number of impacted individuals varied as Welltok didn’t immediately disclose this information.
However, earlier today, the firm reported on the U.S. Department of Health and Human Services breach portal that the data breach has been confirmed to impact 8,493,379 people.
This figure places the Welltok breach as the second largest MOVEit data breach after services contractor Maximus, whose data breach affected 11 million people.
AG Dana Nessel is now involved:
Corewell Health Data Breach Exposes Info of One Million Michigan Patients
December 01, 2023
LANSING – A cybersecurity breach at Welltok, Inc., the software company contracted to provide communications services to Corewell Health’s southeastern Michigan properties, has reportedly affected more than one million Michigan residents, Attorney General Dana Nessel announced.The names, dates of birth, email addresses, phone numbers, medical diagnoses, health insurance information, and Social Security numbers for about one million Corewell Health patients were compromised in the breach. In addition, the names, addresses, and health insurance identification numbers of 2,500 users of the healthy lifestyle portal for Priority Health, an insurance plan owned by Corewell, were also compromised, according to a statement from the health system earlier this month. In total, the breach affected nearly 8.5 people nationally.
The attack, which occurred on May 30, exploited software vulnerabilities on the MOVEit Transfer server owned by Virgin Pulse, Welltok's parent company.
“Health information is some of the most personal information that we have,” said Nessel. “If there was ever data that required heightened cybersecurity measures, it is the information held by the healthcare sector. This kind of breach has occurred too often, and patients deserve to feel confident that their health data is protected in the most robust way possible. My office remains committed to helping Michigan residents keep their data private and secure.”
Welltok has confirmed that those affected include people who have received health care or insurance provided by the following companies:
- Asuris Northwest Health
- BridgeSpan Health
- Blue Cross and Blue Shield of Minnesota and Blue Plus
- Blue Cross and Blue Shield of Alabama
- Blue Cross and Blue Shield of Kansas
- Blue Cross and Blue Shield of North Carolina
- Faith Regional Health Services
- Hospital & Medical Foundation of Paris, Inc. dba Horizon Health
- Mass General Brigham Health Plan
- Regence BlueCross BlueShield of Oregon
- Regence BlueShield
- Regence BlueCross BlueShield of Utah
- Regence Blue Shield of Idaho
- St. Bernards Healthcare
- Sutter Health
- Trane Technologies Company LLC and/or group health plans sponsored by Trane Technologies Company LLC or Trane U.S. Inc.
- The group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance
- The Guthrie Clinic
According to the HIPAA Journal, this cyberattack marks the fourth-largest healthcare data breach in the U.S. this year. The U.S. Department of Health and Human Services reported that data breaches among healthcare organizations more than doubled from 2019 to 2021. In 2022, at least 28.5 million healthcare records were breached nationwide.
Michigan, in particular, has experienced a surge in healthcare-related cyberattacks. In recent months, Attorney General Nessel notified Michigan residents about a ransomware attack affecting 2.5 million McLaren Health Care patients. Similarly, the University of Michigan faced a cyberattack in late August, leading to the compromise of personal information, including Social Security numbers, driver’s license or other government-issued ID numbers, and medical records.
If Welltok has a valid mailing address on file, the company is mailing a notice letter to individuals whose information was determined to be in the affected files. Anyone who does not receive a notice letter but would like to know if they are affected, or has other questions, may call the Welltok dedicated assistance line at 800-628-2141.
Although potentially impacted individuals should be receiving a notice letter from Welltok, state law does not currently require companies who experience a data breach to share that information with the Department of Attorney General. The Department often learns about these data breaches through media reports. The AG strongly recommends the legislature – similar to many other states – strengthen our law to require companies who experience a data breach to immediately inform the Department of Attorney General. This will allow the Attorney General to more quickly alert the public.
“Michigan simply must catch up to the states that require Attorney General notification of these significant breaches,” added Nessel. “To fulfill our duties of consumer protection and corporate oversight, the Department of Attorney General must be alerted to these breaches, when personal health and identifying information that is so often used to commit identity crimes, is compromised and made unsecure.”
The Department of Attorney General’s Data Breaches: What to do Next alert provides consumers with useful information about what kind of information can be accessed during a data breach.
To file a complaint with the Attorney General, or get additional information, contact:
Consumer Protection Team:
P.O. Box 30213
Lansing, MI 48909
517-335-7599
Fax: 517-241-3771
Toll-free: 877-765-8388
Online complaint formYour connection to consumer protection is just a click or phone call away. The Department provides a library of resources for consumers to review anytime on a variety of topics.
Typo alert for the AG's office.
In total, the breach affected nearly 8.5 people nationally.
Data for over 1 million Michiganders, Corewell Health patients compromised after massive Welltok cyber attack
By Cassandra Llamas Fossen, 2 days ago
(WWJ) - Roughly 1 million Michiganders were impacted after a cyber security breach was discovered at Welltok Inc., a healthcare software-as-a-service company contracted by Corewell Health.
Welltok recently notified over 8 million Americans on behalf of 20 healthcare providers and plans, including Corewell Health, of the data breach stemming from the May 2023 MOVEit hack, stating an unauthorized individual was able to view and exfiltrate sensitive information.
Priority Health -- a Corewell-owned insurance plan -- was also impacted, with data for 2,500 Priority members exposed.
The cyber attack is one of the largest breaches reported to the U.S. Department of Health and Human Services (HHS) so far this year.
According to Welltok, the hackers were able to take advantage of a vulnerability in Progress Software’s MOVEit Transfer server. The company said it immediately patched the vulnerability when it was found on May 31 and made any necessary security upgrades.
While Welltock conducted an examination into the incident, it wasn't until Aug. 11 when a third-party company hired to reconstruct its systems and historical data discovered the breach.
A letter was sent out earlier in November to the 8,493,379 people affected by the massive breach.
“We take this event and the security of personal information in our care very seriously. Upon learning of this event, we moved quickly to investigate and respond to the event and notify potentially affected individuals,” Welltok stated.
Names, addresses, email addresses, and phone numbers, including a small amount of Social Security numbers, health insurance information, and Medicare/Medicaid ID numbers were all reported to have been impacted.
“As part of our ongoing commitment to the security of information, we are reviewing and enhancing our existing policies and procedures related to data privacy to reduce the likelihood of a similar future event," Welltok said.
"While we have no evidence that any of your information has been misused, we are notifying you and providing information and resources to help protect your personal information," Welltok said in a statement.
Welltok opened a dedicated assistance line at 800-628-2141 to help patients who may have questions about the incident.
The company recommended credit monitoring for those affected by the breach.
Get MHF Insights
News and tips for your healthcare freedom.
We never spam you. One-step unsubscribe.
Sponsors
Friends of MHF
Kirsten DeVries
Tom & Karen Nunheimer
Steve Ahonen
Ron & Faith Bosserman
Marlin & Kathy Klumpp
Sign Up for MHF Insights to keep up on the latest in Michigan Health Policy
