Welltok first learned of an alleged compromise of their MOVEit Transfer server on July 26. The company eventually learned in August that “an unknown actor exploited software vulnerabilities” and accessed the MOVEit Transfer service in May, the company said. MOVEit provides cloud services, like data storage.
Multiple health care organizations have been impacted with more than 8.4 million people affected, according to the U.S. Department of Health and Human Services.
By Oct. 23, Premier Health learned the scope of the data present on the impacted server, and Welltok has been coordinating with the hospital system to notify impacted individuals, the company said.
“After a complex and thorough investigation, we recently started providing notice to impacted individuals on behalf of certain other health care organizations,” the Welltok company said in a statement.
The type of information at issue varies for each person, Welltok said.
“For a small group of impacted clients, Social Security Numbers, Medicare/Medicaid ID Numbers, or certain Health Insurance information such as plan or group name, were also implicated. For other individuals, certain health information such as a provider name, prescription name, or treatment code may have been included,” the company said in a statement.
The company has no evidence Premier Health patient data has been misused, but they are offering those who information could have been compromised with 12-month credit monitoring. Patients have until the end of February to sign up for the credit monitoring.
MOVEit is the same company that involved CareSource clients being impacted by a data breach, which took place on May 31. That data breach led to multiple class action lawsuits, many of which have been transferred to the District of Massachusetts where multiple companies like CareSource are listed as defendants in litigation involving the MOVEit data breach.
Premier Health is a medical system with three hospitals and two major health centers in the Dayton region.