On November 3, 2023, Sutter Health posted notice on its website describing a third-party data breach at Welltok, Inc., a Virgin Pulse company (“Virgin Pulse”). In this notice, Sutter Health explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names and protected health information. Upon completing its investigation into the Sutter Health data breach, Virgin Pulse began sending out data breach notification letters to all individuals whose information was affected by the recent data security incident.

If you received a data breach notification from Sutter Health or Virgin Pulse, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft, as well as discuss your legal options following the Sutter Health data breach. For more information, please see our recent piece on the topic here.

What Caused the Data Breach Affecting Sutter Health Patients?

The Sutter Health / Virgin Pulse data breach was only recently announced, and more information is expected in the near future. However, Sutter Health’s November 3, 2023, website notice provides some important information on what led up to the breach. According to this source, on September 22, 2023, Virgin Pulse notified Sutter Health that it had been affected by a vulnerability within MOVEit, a file-transfer application created by Progress Software.

The widely reported MOVEit vulnerability came to light earlier this year, when Progress Software confirmed the zero-day vulnerability allowed hackers to access companies’ MOVEit servers.

Upon learning of the MOVEit vulnerability, Virgin Pulse applied all available patches and took the recommended steps to mitigate any unauthorized access. Virgin Pulse then launched an investigation into the incident with the help of third-party cybersecurity specialists.

The Virgin Pulse investigation confirmed that an unauthorized party was able to access its MOVEit server between May 30, 2023 and May 31, 2023, and that they exfiltrated certain data from its MOVEit server during that time.

After learning that sensitive consumer data was accessible to an unauthorized party, Virgin Pulse reviewed the compromised files to determine what information was leaked and which consumers were impacted. While the breached information varies depending on the individual, it may include your name and protected health information.

On November 3, 2023, Sutter Health posted notice of the MOVEit breach on its website. This notice indicates that Virgin Pulse has already begun sending data breach letters to anyone who was affected by the recent data security incident. These letters should provide victims with a list of what information belonging to them was compromised.

More Information About Sutter Health and Virgin Pulse

Founded in 1921, Sutter Health is a not-for-profit health system headquartered in Sacramento, California. Sutter Health operates 24 hospitals and more than 200 clinics in Northern California. Sutter Health employs more than 51,000 people and generates approximately $14.8 billion in annual revenue.

Virgin Pulse is a healthcare software company based out of Providence, Rhode Island. The company is partially owned by Virgin Group, the large multinational venture capital conglomerate headquartered in London, England. Virgin Pulse employs approximately 2,000 people and generates annual revenue of roughly $385 million.