Utah State University received a notification from Regence regarding two breaches: The first one involves NASCO, a vendor of Elevance Health (formerly Anthem Blue Cross Blue Shield), which processes claims for Regence. The second breach concerns Virgin Pulse, Inc., a vendor of Prime Therapeutics, a company contracted by Regence for pharmacy benefits management. Welltok, Inc., a subsidiary of Virgin Pulse, provides services related to these breaches. Both incidents involve the use of MOVEit file transfer software. Regence has confirmed that none of their systems were affected.
Importantly, Utah State University does not use the MOVEit software, and no systems operated or maintained by USU were breached. Still, the University is actively monitoring the situation and will share relevant future information it receives from Regence, and its affected vendors.
NASCO and Virgin Pulse (Welltok) will be mailing individual notification letters offering complimentary credit monitoring and identity theft restoration services to all affected members.
Below is a list of frequently asked questions, which will be continuously updated as we receive more information.
What happened?
NASCO
NASCO is a healthcare software that works with Elevance Health (formerly Anthem Blue Cross Blue Shield) to process claims. When a Regence member gets care in Elevance's area and their claim goes through the BlueCard system, Elevance handles the claim for Regence. NASCO uses MOVEit file transfer software for sharing Regence member data provided by Elevance.
Regence has reported that On July 12, 2023, NASCO discovered a cyberattack by CL0P ransomware. They promptly hired cybersecurity experts and alerted the FBI. The attack exploited a MOVEit software vulnerability, compromising Regence member data from 2015-2018. NASCO notified Elevance on August 2, 2023, and confirmed Regence members' impact on October 17, 2023, reporting it to Regence on October 19, 2023. NASCO has posted details about this incident on its website.
Virgin Pulse (Welltok)
Virgin Pulse is a vendor of Prime Therapeutics. Regence contracts with Prime Therapeutics as their pharmacy benefits manager and Prime contracts with Virgin Pulse for outbound call notifications to Regence members. Virgin Pulse’s subsidiary, Welltok, Inc. provides these services.
According to Regence, on July 26, 2023, Virgin Pulse discovered an online post by CL0P, a ransomware threat actor, that listed targeted organizations. The forensic investigation confirmed that the threat actor gained unauthorized access to Welltok’s server where campaigns and member data provided by Prime are stored, and that the data provided by Prime was accessed and downloaded by the threat actor on May 30, 2023.
What this means for USU
No systems operated or maintained by USU were breached. We are providing this information so everyone in our community can take steps to protect their personal information.
USU takes data privacy and information security very seriously and this matter is of utmost and vital importance to the university. USU is actively evaluating the extent of the impact on students and employees.
What personal information was involved and who was impacted?
NASCO
NASCO reported that 93 members of Utah State University Health Plan were affected by the breach. The compromised information, dating from 2015-2018, includes subscriber IDs, claim numbers, group numbers and name, patient account numbers, provider names, procedure codes, claim charges, and service dates.
Virgin Pulse (Welltok)
Virgin Pulse (Welltok) reported that 93 members of Utah State University Health Plan were affected by the breach. The information potentially downloaded about individuals included member name, member ID, date of birth, address, phone number, client ID, group ID, carrier ID, account ID, and medication.
What measures are being taken by NASCO?
According to Regence, after discovering the ransomware threat actor on July 12, 2023, NASCO immediately retained a third-party cybersecurity company to perform a forensic investigation, and notified the FBI Detroit of the incident. The forensic investigation confirmed that the threat actor took advantage of a vulnerability in the MOVEit file transfer software to gain access to NASCO’s MOVEit instance where Regence member data was stored. Subsequently, NASCO the NASCO MOVEit server affected by the attack was decommissioned and is no longer accessible from the internet. NASCO has also confirmed that it no longer uses MOVEit.
What measures are being taken by Virgin Pulse (Welltok)?
According to Regence, upon discovering the security breach, Virgin Pulse (Welltok) promptly took several steps to mitigate the situation. They changed all related passwords, conducted a thorough system sweep for signs of an attack, applied vendor-recommended patches and controls, blocked suspect IP addresses at the firewall, updated endpoint protection systems to detect future attempts, enlisted a third-party forensics firm for a comprehensive analysis, rebuilt the impacted system following industry standards, and reinforced the recommendation for clients to use PGP file encryption when uploading files to their systems. Virgin Pulse has since confirmed that no additional data breaches have been found, all known vulnerabilities have been addressed, and there is no current evidence of further security compromises.
Things you can do to protect yourself
- Be extra vigilant: It is possible that cybercriminals may leverage stolen personal information from this attack to craft convincing phishing attacks in the coming weeks and months. An email, notice, or text message containing accurate information about you or one of your accounts is not enough to verify authenticity. Verify the source of a message before responding. Take note of how to identify a phishing attack. Phone calls may also be used to obtain personal or financial information.
- Monitor your financial accounts and credit:It is always wise to monitor your credit report for unusual activity. Consider putting a credit freeze in place to frustrate would-be scammers if you believe you are being targeted.
- Secure your accounts:Remember to enable two-factor authentication and to use long passphrases for all of your accounts. Never give someone your password or a two-factor code if asked for it, even if they claim to be from a trusted organization.
- Update your Banner Account: Keep you Banner account updated to ensure you receive important notices.
- Enable multi-factor authentication (MFA) for your online accounts. MFA adds an extra layer of security by requiring you to provide additional verification besides your password.
- Be cautious when clicking on links or downloading attachments in emails from unknown sources. These links or attachments may contain malware that can compromise your computer or steal your personal information.
- Keep your software and operating system updated with the latest security patches. Hackers often exploit vulnerabilities in outdated software and operating systems.
- Limit the personal information you share online. Avoid sharing sensitive information on social media or other online platforms, such as your date of birth, home address, or social security number.
- Online tools such as "Have I Been Pwned" can assist you in checking whether your personal information has been compromised in data breaches and provide information about the breach if it has occurred, or “Experian” can help you identify if your information is on the Dark Web.