On November 17, 2023, Corewell Health (“Corewell”) posted a website notice describing a third-party data breach at one of the company’s vendors, Welltok, Inc. (“Welltok”). In this notice, Corewell explains that the incident resulted in an unauthorized party being able to access sensitive information belonging to approximately 1 million patients, which includes their names, dates of birth, email addresses, phone numbers, diagnoses, health insurance information and Social Security numbers. Upon completing its investigation, Welltok began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you received a data breach notification from Corewell Health or Welltok, Inc., it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft, as well as discuss your legal options following the Corewell / Welltok data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breach Affecting Corewell Health Patients?

The Welltok / Corewell data breach was only recently announced, and more information is expected in the near future. However, Corewell’s website notice provides some important information on what led up to the breach. The Corewell post also links to a Welltok data breach letter that provides additional details. The incident involved MOVEit, which is a file-transfer software used by many large companies across the world.

According to these sources, on July 26, 2023, Welltok was made aware that its MOVEit server had been compromised. However, Welltok had previously installed all patches and security upgrades, and upon completing an investigation, Welltok determined that there was no unauthorized access.

On August 11, 2023, after a follow-up investigation, Welltok determined that an unauthorized party was able to access the company’s MOVEit server on May 30, 2023. It was also confirmed that the unauthorized party removed certain data from the company’s MOVEit server, including information belonging to patients of Corewell Health.

After learning that sensitive consumer data was accessible to an unauthorized party, Welltok reviewed the compromised files to determine what information was leaked and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, date of birth, email address, phone number, diagnosis, health insurance information and Social Security number

More recently, Welltok sent out data breach letters to anyone who was affected by the recent data security incident. These letters should provide victims with a list of what information belonging to them was compromised.

More Information About Corewell Health

Corewell Health is a healthcare system based out of Grand Rapids, Michigan. Corewell operates 21 hospitals and more than 300 outpatient locations in Michigan, providing care for an estimated 1.3 million people. Corewell was formed in 2022 by the merger of Beaumont Health and Spectrum Health. Corewell Health employs more than 60,000 people and generates approximately $14 billion in annual revenue.