Tri-Valley patients among more than 8 million impacted by data breach

Stanford Health Care Tri-Valley was among a number of hospitals nationwide impacted by a data breach at a cloud-based software company providing services for health care facilities, with federal officials currently investigating the incident.

Welltok, a cloud-based software company based in Colorado that provides database and file transferring services for health care providers, was reportedly the target of a hacking effort earlier this year that compromised the security of personal information for 8,493,379 patients nationwide, according to a report submitted to the U.S. Department of Health and Human Services on Nov. 6.

The breach is among the largest currently under investigation by the department as of Dec. 1, with just three other breaches impacting more patients out of hundreds being investigated nationwide.

The company had previously issued a "notice of data privacy event" in October, naming Stanford Health Care hospitals including the Tri-Valley location as among the facilities that saw patients' data hacked. The exact number of patients impacted wasn't made public until after the breach was announced to federal authorities, and the number of Tri-Valley patients affected remains unclear.

"While we have no evidence that any of your information has been misused, we are notifying you and providing information and resources to help protect your personal information," Welltok officials said in the notice on Oct. 24.

They added that the types of information that may have been obtained in the breach were patients' names, addresses, phone numbers and email addresses, as well as health information including provider and prescription names.

"The type of information at issue varies for each person," Welltok officials said. For a small group of patients they said, this could include Social Security numbers and health insurance information.

Welltok officials said that they were first notified that data was at risk on July 26, when vulnerabilities on a transfer server connected to their cloud-based software were made public by the developer of the transfer tool in use, but that they determined that there was no sign that data was compromised at the time upon examination of their systems and networks.

However, further investigation aided by third-party cybersecurity consultants determined on Aug. 11 that vulnerabilities in the software system had been exploited, with their server being accessed on May 30, with some data being stolen during that time, according to the company. They learned on Aug. 26 that personal data had been on the server during the hacking incident.

Patients impacted by the breach were notified by Welltok on behalf of Stanford Health Care as well as the 20 other health care systems affected.

A spokesperson for Stanford Health Care Tri-Valley said that all media inquiries were being handled by Welltok. As of Friday, Welltok's website contained only a brief description of the company's services and a link to the data breach notification issued in October. A spokesperson for Virgin Pulse, which acquired Welltok in 2021, did not respond to questions as of Friday evening.