Skip to main content
Medical Record

Corewell Health Data Breach Investigation | Welltok

Written by Joseph Lyon on . Posted in Data Breach.

The Lyon Firm is investigating new MOVEit data breach claims related to Welltok and Corewell Health that allegedly impacted millions of individuals nationwide. We are currently involved in some of the largest data privacy litigation in the country, including several MOVEit file transfer ransomware attack cases.

Contact our data breach lawyers to learn more about your legal options. It is not to late to file a claim, and to join existing class actions. You may be eligible to seek compensation and to hold any negligent company accountable for damages. 

In November 2023, Corewell Health posted a notice on their website describing a third-party data breach at Welltok, a third-party vendor of the company.

Corewell explained that the Welltok incident resulted in an unauthorized party being able to access sensitive information belonging to about one million patients. It has been reported that names, dates of birth, email addresses, phone numbers, diagnoses, health insurance information and Social Security numbers may have been leaked in the attack. After the investigation, Welltok began sending out data breach notification letters to individuals whose information was affected.

Thus far, the healthcare software company Welltok has notified 8.5 million individuals of a data breach stemming from the MOVEit hack. The incident signifies one of the largest ever breaches reported to HHS. As previously reported, threat actors took advantage of a vulnerability in Progress Software’s MOVEit app.

The information involved in the Corewell breach may have included the following: names, addresses, email addresses, and phone numbers. A small number of Social Security numbers, health insurance information, and Medicare/Medicaid ID numbers.

If you have been notified by any entity linked to Welltok regarding the data theft incident, contact our attorneys for a free case review. We are still collecting MOVEit data breach claims on behalf of victims nationwide. Free and confidential consultations.

What Happened at Corewell Health?

The attack, which occurred on May 30, exploited software vulnerabilities on the MOVEit File Transfer server owned by Virgin Pulse, Welltok’s parent company. In July 2023, Welltok was told that its MOVEit server had been compromised. Welltok confirmed that those who have received health care or insurance provided by the following companies may be impacted:

  • Asuris Northwest Health
  • BridgeSpan Health
  • Blue Cross and Blue Shield of Minnesota and Blue Plus
  • Blue Cross and Blue Shield of Alabama
  • Blue Cross and Blue Shield of Kansas
  • Blue Cross and Blue Shield of North Carolina
  • Corewell Health (formerly Spectrum Health)
  • Faith Regional Health Services
  • Horizon Health
  • Mass General Brigham Health Plan
  • Regence BlueCross BlueShield of Oregon
  • Regence BlueCross BlueShield of Utah
  • Regence Blue Shield of Idaho
  • Bernards Healthcare
  • Sutter Health
  • Trane Technologies Company
  • Stanford Health Care, Lucile Packard Children’s Hospital Stanford,  and Packard Children’s Health Alliance
  • The Guthrie Clinic

If you received a data breach notification from Corewell Health or Welltok, it is important to understand what is at risk. Following data theft incidents, cybercriminals may be able to engage in a number of medical identity theft and fraudulent schemes. Any victims should remain vigilant for any signs of fraud. Check your financial statements carefully, monitor your credit reports, freeze your credit if necessary, and change all your login credentials.

More About Corewell Health

Corewell Health is a nonprofit healthcare system operating 21 hospitals and more than 300 outpatient locations out of Grand Rapids, Michigan. Corewell, formed in 2022 by the merger of Beaumont Health and Spectrum Health, provides care for an estimated 1.3 million people. The organization is headquartered in Grand Rapids and has over 60,000 employees.

In October 2018, Spectrum closed on a merger with Lakeland Health, a health system in southwest Michigan. Spectrum Health Lakeland will operate as a wholly owned subsidiary of Spectrum Health. In June 2021, Beaumont announced plans to merge with Grand Rapids-based Spectrum Health. The combined system is now called Corewell Health.

More About the MOVEit Ransomware Attack

It is not easy to understand how all these pieces are connected, but anyone impacted in the Corewell Health data breach had their data shared with Welltok, a third-party vendor who used the MOVEit software ostensibly to safety transfer files. Well, that plan obviously backfired, and millions are now left wondering how to proceed with their personal details scattered all over the dark web.

You are not alone, however. It may not make it an easier pill to swallow, but thousands of organizations and tens of millions of individuals are in the same vulnerable position. The Progress Software MOVEit software was used by many companies, some very much connected unbeknownst to many consumers and patients. It is astonishing sometimes how many companies have access to our personal data–many companies we have never even heard of.

Then one day you get a data breach notification letter in the mail from one of these companies you’ve never heard of, and they alert you that they have potentially leaked your most sensitive personal data. This doesn’t seem fair to many consumers, and that is why it may be necessary to take legal action. By filing a data privacy lawsuit, consumers can hit companies where it matters most: in the pocket. This is often the only way to change negligent corporate behavior. Only by taking a company to court can changes be made for the betterment of consumer privacy.

The Lyon Firm has experience filing data privacy lawsuits on behalf of plaintiffs in all fifty states. Our legal team works alongside some of the most prominent privacy firms in the country to find you justice and rightful compensation. Following a data breach event, you may be at a heightened risk for fraud and identity theft in the future. Learn more about how to protect yourself, and learn more about the legal process. 

We believe very strongly that any entity that collects and stores your personal data has a legal and ethical duty to protect it with reasonably secure networks. Should any organization fail to protect your personal information, and your data is stolen as a direct result of their ineptitude, you may take legal action and file suit. Call now for a free consultation.