CentraCare Health, a Minnesota-based regional healthcare network operating hospitals, clinics, and the Centra Care urgent-care service line in central Minnesota, was drawn into the broader 2023 MOVEit supply-chain attack carried out by the Cl0p ransomware group. The attack occurred on or around May 30 to 31, 2023 when Cl0p exploited a previously unknown zero-day vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer file-sharing platform. CentraCare patient data was held by Welltok, a Virgin Pulse-owned patient engagement vendor that used MOVEit Transfer for large-dataset transfers between Welltok and its health-plan and provider clients. Welltok confirmed the breach in late October 2023.

The breach affected approximately 782,000 CentraCare-attributed records based on records indexed by breach-tracking services, as part of a broader Welltok-wide breach affecting approximately 14.7 million individuals across multiple healthcare clients. Compromised fields for CentraCare patients included names, home addresses, email addresses, phone numbers, account-balance information, and medical diagnosis information. No Social Security numbers or payment-card numbers were included in the CentraCare-specific portion of the data, though other Welltok client portions did include SSN exposure.

For affected CentraCare patients, the practical risk profile combines identity-fraud exposure with medical-context-specific risks. The combination of name, address, contact information, and medical diagnosis is a strong base for medical-themed phishing referencing real diagnoses, prescription-fraud attempts, and insurance-fraud claims billed under affected patients' identities. The inclusion of account-balance data adds direct billing-fraud risk because attackers may reference real outstanding balances to lend credibility to scams. Affected patients should remain alert to unsolicited contact referencing CentraCare, Welltok, or specific medical conditions, and should monitor health-insurance statements closely. Patients should also be aware that they may have been affected by additional unrelated breaches given the multi-vendor nature of healthcare supply chains.

Urgent-care clinic networks collect patient identity, contact, insurance, billing, appointment, and treatment records across walk-in and outpatient care workflows.

The 2023 MOVEit-related disclosure was one of multiple Welltok-related breach notifications affecting CentraCare's patient engagement processes. CentraCare initially issued a brief public statement attributing the exposure to an unnamed third-party vendor, with limited detail on the number of affected patients or remediation. Privacy advocates and journalists criticized the opacity of the disclosure and the limited credit-monitoring offer typical of MOVEit-related notifications. The MOVEit incident has been subsumed into the consolidated In re MOVEit Customer Data Security Breach multidistrict litigation, in which CentraCare could be named through discovery as the chain-of-custody for stolen files is established. Welltok's parent Virgin Pulse remains a primary defendant in the MDL.