Skip to main content
physicians lab coat

Join the Welltok Data Breach Class Action Lawsuit | Virgin Pulse

The Lyon Firm is still investigating new claims for the ongoing MOVEit file transfer data breach litigation that has embroiled hundreds of organizations, including Welltok (Virgin Pulse).

If you have received a data breach notification letter from Welltok or Virgin Pulse regarding the Progress Software MOVEit cyberattack last year, you may still be able to join a class action lawsuit to recover compensation and hold any negligent company accountable for damages.

What Happened at Welltok?

The Welltok data breach was the fourth-largest healthcare data breach of 2023, impacting 8,493,379 individuals. The breach stemmed from the massive Progress Software MOVEit data security incident that compromised the data of hundreds of organizations.

The Clop ransomware group allegedly exploited a zero-day vulnerability in the MOVEit software to breach the software, and followed up with extortion demands. The total is still growing, but the breach is thought to have impacted over 77 million people.

Like many other companies, Welltok used the MOVEit Transfer tool for transferring large datasets as part of its contracted services with health plans. The company was notified by Progress Software on May 31, 2023 about a vulnerability in the MOVEit platform and applied a software patch as recommended by Progress. The fix came a day or tow too late, however. The data had already been stolen by Clop, which was officially confirmed on July 26, 2023. Data theft was later confirmed on August 26, 2023.

A long review of the affected files confirmed that health plan member data could have been leaked. The personal information includes names, dates of birth, addresses, health information, Social Security numbers, Medicare/Medicaid IDs, and health insurance information.

Who Was Impacted in the Welltok Data Breach?

Welltok, which is owned by Virgin Pulse, works with health plan providers and manages communications with their subscribers. The company also operates an online wellness program for health plan subscribers.

Following the May 2023 debacle, Welltok, a Denver-based patient engagement company, confirmed that it was one of the MOVEit victims. Welltok notified the Maine Attorney General about the data breach on behalf of the following group of California health plans, with the breach notice stating 1.9 million individuals had been affected:

  • Stanford Health Care
  • Lucile Packard Children’s Hospital Stanford
  • Stanford Health Care Tri-Valley
  • Stanford Medicine Partners
  • Packard Children’s Health Alliance

A different breach notification was sent out by Welltok on behalf of Premier Health, an Ohio health system, and Graphic Packaging International, LLC. The Welltok website notification states it is providing notifications on behalf of Sutter Health and Trane Technologies Company LLC.  Sutter Health previously confirmed that it was affected by the incident and said 845,451 individuals had been impacted.

Other victims of the breach include Arkansas-based St. Bernards Healthcare, Inc., Corewell Health, Horizon Health, the International Paper Company Group, Asuris Northwest Health, BridgeSpan Health, Blue Cross and Blue Shield of Minnesota and Blue Plus, Blue Cross and Blue Shield of Alabama, Blue Cross and Blue Shield of Kansas, Blue Cross and Blue Shield of North Carolina, Mass General Brigham Health Plan, Faith Regional Health Services, The Guthrie Clinic, Regence BlueCross BlueShield of Oregon, Regence BlueShield, Regence BlueCross BlueShield of Utah, Regence Blue Shield of Idaho, Yale New Haven Health, CHI Memorial, CHI St. Alexius, West Virginia University Medicine, OSF Healthcare, UnitedHealthcare, the Good Shepherd Health Care System, and Humana CenterWell Pharmacy.

The cybersecurity firm Emsisoft shows the Clop cyberattack on MOVEit attack impacted over 2,700 organizations globally, and the personal data of at least 94 million individuals was stolen. Many class action lawsuits have been filed in response to these data breaches, naming the organizations as defendants as well as Progress Software.

Who is Cl0p?

Cl0p is actually the name of a group and a type of ransomware used in cyberattacks since 2019. Data stolen in the MOVEit attacks is classic example of their work. They hack a system, publish data to a site on the dark web, then extort the organizations and only release the data when a ransom has been paid.

While the bad actors behind Cl0p have historically deployed file-encrypting ransomware, they also use a smash-and-grab, exfiltration-only strategy, relying on the stolen data as leverage to extort payment from companies willing to play these games.

The MOVEit data security incident clearly shows the challenges organizations face in securing data on their networks. One huge concern is that companies not only have their own security to think about but that of their vendors as well. A secure system is only as strong as the weakest link. Experts also say that attacks which leverage zero-day vulnerabilities, as the MOVEit attack did, are extremely difficult to defend against.

Why Join the Virgin Pulse Class Action Lawsuit?

You can join the existing Welltok class of plaintiffs that are alleging IT security negligence claims. It is not too late to file a claim to qualify for compensation. The Lyon Firm is involved in numerous related cases, and has the experience and resources to settle data privacy lawsuits. We have reached settlements with several other companies following data theft incidents, and have represented clients in all fifty states.

We work with industry experts nationwide, and the current MOVEit lawsuit involves many of the country’s largest data privacy firms. Contact our legal team to learn more about how to protect yourself in the future, and what the current legal process looks like for you. By filing a class action data breach claim you may be able to hold any negligent company accountable and at the same time improve your financial situation.

The Lyon Firm has years of experience in the cybersecurity and data privacy space. We believe very strongly that any company that collects and stores your information has an ethical and legal duty to protect it with reasonably secure networks. Companies are also liable for the poor security systems of their vendors, and can be held responsible in a court of law if a vendor fails to protect your data.

Contact our data breach lawyers to join the Welltok data breach class action lawsuit if you or a loved one received notice from one of the companies impacted. We can help you file a claim and assist you in learning more about a safe and secure future.