Moveit: Data breach at Welltok affects 8.5m people in the US

24 Nov 2023

Image: © Jose Luis Stephens/

Welltok, an SaaS provider focused on healthcare, said data was stolen from its systems through the Moveit server despite installing the recommended patches.

Days after nearly the entire population of the US state of Maine was notified of a cyberattack affecting them, it has emerged that another incident related to the Moveit breach has impacted millions across many more states.

Welltok, a US-based software-as-a-service provider that focuses on the healthcare industry, is one of the more recent victims in the ongoing global data breach that involves the file transfer tool Moveit.

First reported in June, the Moveit breach, in which hackers exploit a zero-day vulnerability in the file transfer software, has affected companies and government agencies on both sides of the Atlantic, including banks, universities, insurance and healthcare providers.

Last month, Welltok issued a statement confirming that its Moveit server was compromised earlier in the year despite the fact that the company had installed “all published patches and security upgrades immediately” after they were made available.

“Welltok also conducted an examination of our systems and networks using all information available to determine the potential impact of the vulnerabilities we were alerted to on the Moveit transfer server and the security of data housed on the server and confirmed that there was no indication of any compromise at that time,” the company wrote.

A subsequent investigation concluded that an “unauthorised actor” had exploited software vulnerabilities and accessed the Welltok Moveit transfer server in May, stealing sensitive data of certain individuals.

And earlier this week, a US department of health portal showed that the Welltok incident has affected nearly 8.5m people across US states, making it one of the largest known breaches related to Moveit.


One of the first Moveit incidents announced affected 45,000 students in the New York City Department of Education system. The agency revealed that students’ personal information, such as social security numbers and birth dates, was stolen.

In July, the hack hit closer to home, after Dublin Airport became the latest victim of the cyberattack. Pay and benefits information of some Dublin Airport employees was compromised in a third-party cyberattack affecting Aon, airport management company DAA confirmed to at the time.

Microsoft attributed the hack exploiting the Moveit zero-day vulnerability to Lace Tempest, a reportedly Russian-speaking cybercrime group known for similar ransomware operations and running the Clop extortion site, which was also responsible for the GoAnywhere MFT attack in March.

Welltok said that the type of information stolen in the breach may include names, addresses, contact details, social security numbers and even sensitive healthcare information such as medical ID numbers and health insurance details.

“For other individuals, certain health information such as a provider name, prescription name or treatment code may have been included,” the company wrote.

“We encourage individuals to remain vigilant against incidents of identity theft and fraud by reviewing your account statements, explanation of benefits forms and monitoring your free credit reports for suspicious activity and to detect errors.”

According to Welltok, some of the states affected by the latest breach include Minnesota, Alabama, Kansas, North Carolina, Michigan, Nebraska, Illinois and Massachusetts.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic