According to the company, a "few thousand" customer names, billing addresses, credit card numbers, expiration dates and CVV codes were exposed when one of Well.ca's service providers was compromised between December 22, 2013 and January 7, 2014.
Only first-time customers who made a purchase between December 22, 2013 and January 7, 2014 are affected -- the attacker apparently leveraged a vulnerability to access the company's Web site and record customer information as it was entered.
The service provider in question detected the vulnerability during a routine security audit on January 7, 2014, and notified Well.ca.
The breach was then confirmed by Well.ca's credit card provider two weeks ago.
"Because it was a small subset of customers [affected], our first priority was to contact those customers, and we've been using all of our resources this morning and early afternoon to reach out to those customers," Well.ca CEO Rebecca McKillican told ITBusiness.ca.