Centra Care 2023 Data Breach

Centra Care Urgent Care Network Breach (2023): 782K Patient Records Including Medical Diagnoses Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Cl0p (via Welltok / MOVEit supply chain; CVE-2023-34362)RansomwareMedicalAccount BalanceEmail AddressFull NameMedical DiagnosisPhone NumberPhysical Address
High SeverityWebsite / service breach

Centra Care Urgent Care Network Breach (2023): 782K Patient Records Including Medical Diagnoses Exposed

CentraCare - Minnesota regional healthcare network.

Verified by ObscureIQ Intelligence
67/100Breach Risk Index
40Data Value
25Market Recency
509dSince Breach

Breach Intelligence Summary

Entity: Centra Care · Actor: Cl0p (via Welltok / MOVEit supply chain; CVE-2023-34362) · Sources: 2 references
Attack: Ransomware
Profile: Healthcare Provider · Urgent care and walk-in medical services · Urgent care clinic network · USA
Timeline: Breach (2023-05-31) · Indexed (Dec 04, 2024) · Year (2023)
Exposure: 782K records · 6 fields: Account Balance, Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address
Status: Reported

Executive Summary

CentraCare Health, a Minnesota-based regional healthcare network operating hospitals, clinics, and the Centra Care urgent-care service line in central Minnesota, was drawn into the broader 2023 MOVEit supply-chain attack carried out by the Cl0p ransomware group. The attack occurred on or around May 30 to 31, 2023 when Cl0p exploited a previously unknown zero-day vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer file-sharing platform. CentraCare patient data was held by Welltok, a Virgin Pulse-owned patient engagement vendor that used MOVEit Transfer for large-dataset transfers between Welltok and its health-plan and provider clients. Welltok confirmed the breach in late October 2023. The breach affected approximately 782,000 CentraCare-attributed records based on records indexed by breach-tracking services, as part of a broader Welltok-wide breach affecting approximately 14.7 million individuals across multiple healthcare clients. Compromised fields for CentraCare patients included names, home addresses, email addresses, phone numbers, account-balance information, and medical diagnosis information. No Social Security numbers or payment-card numbers were included in the CentraCare-specific portion of the data, though other Welltok client portions did include SSN exposure. For affected CentraCare patients, the practical risk profile combines identity-fraud exposure with medical-context-specific risks. The combination of name, address, contact information, and medical diagnosis is a strong base for medical-themed phishing referencing real diagnoses, prescription-fraud attempts, and insurance-fraud claims billed under affected patients' identities. The inclusion of account-balance data adds direct billing-fraud risk because attackers may reference real outstanding balances to lend credibility to scams. Affected patients should remain alert to unsolicited contact referencing CentraCare, Welltok, or specific medical conditions, and should monitor health-insurance statements closely. Patients should also be aware that they may have been affected by additional unrelated breaches given the multi-vendor nature of healthcare supply chains.

ObscureIQ assessment: High risk of identity theft, medical fraud, and treatment-themed phishing. Urgent-care context may also expose acute illness or recent medical events.

Breach Impact

The institutional impact on CentraCare is meaningful given the size of the affected population and the public-trust consequences of the limited initial disclosure. Federal HIPAA notification obligations through Welltok as the business associate, an active Office for Civil Rights review covering Welltok and its covered-entity clients, multistate attorney-general filings, and the consolidated MOVEit multidistrict litigation are all underway. The vendor-pathway nature of the breach raises broader supply-chain governance questions for CentraCare's procurement and security functions. The reputational impact concentrates within central Minnesota where CentraCare is the dominant regional health system and patient retention is unusually consequential. Operationally, CentraCare's own systems were not directly compromised, which has helped contain disclosure obligations and remediation costs.

About Centra Care

CentraCare Health, often referred to in operations as Centra Care for its urgent-care service line, is a Minnesota-based regional nonprofit healthcare network headquartered in St. Cloud, Minnesota. The system operates a network of hospitals, primary-care clinics, urgent-care clinics, surgery centers, and home-health services across central Minnesota. The Centra Care urgent-care brand operates walk-in and outpatient medical services as one of CentraCare Health's service lines. As a HIPAA-regulated regional health system at substantial scale, CentraCare maintains comprehensive protected health information including patient identity, insurance, billing, diagnostic, treatment, and prescription records across hospital, clinic, urgent-care, and home-care operations.

Why They Hold Your Data

Urgent-care clinic networks collect patient identity, contact, insurance, billing, appointment, and treatment records across walk-in and outpatient care workflows.

Recent Developments

The 2023 MOVEit-related disclosure was one of multiple Welltok-related breach notifications affecting CentraCare's patient engagement processes. CentraCare initially issued a brief public statement attributing the exposure to an unnamed third-party vendor, with limited detail on the number of affected patients or remediation. Privacy advocates and journalists criticized the opacity of the disclosure and the limited credit-monitoring offer typical of MOVEit-related notifications. The MOVEit incident has been subsumed into the consolidated In re MOVEit Customer Data Security Breach multidistrict litigation, in which CentraCare could be named through discovery as the chain-of-custody for stolen files is established. Welltok's parent Virgin Pulse remains a primary defendant in the MDL.

Data Points Exposed

6 verified field types
Account Balance High
Email Address
Full Name High
Medical Diagnosis Critical
Phone Number
Physical Address High

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
  • Medical identity fraud or insurance abuse using health data
Threat vectors:
  • High-value targeting
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Medical extortion, insurance fraud & discrimination
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat

Threat Actor: Cl0p (via Welltok / MOVEit supply chain; CVE-2023-34362)

Cl0p (via Welltok / MOVEit supply chain; CVE-2023-34362)
Ransomware

Attribution and method are based on available breach intelligence. Reported attack vector: Ransomware.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Centra Care breach?

CentraCare Health, a Minnesota-based regional healthcare network operating hospitals, clinics, and the Centra Care urgent-care service line in central Minnesota, was drawn into the broader 2023 MOVEit supply-chain attack carried out by the Cl0p ransomware group. The attack occurred on or around May…

What data was exposed?

Verified fields include Account Balance, Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation