Sutter Health reports MOVEit related data breach, exposing 800k patients

published: Nov. 10, 2023

Learn More

Sutter Health, a healthcare provider based in Sacramento, California, reported a data breach that exposed the personal information of over 845,000 patients. The breach resulted from an attack that targeted a file transfer tool called MOVEit, which was used by a vendor called Welltok Inc. to provide online contact management services for Sutter Health.

The attack took place between May 30 and May 31. Welltok Inc. as the vendor immediately affected, reported the attack to Sutter Health through its parent company, Virgin Pulse, on September 22.

Virgin Pulse's investigation revealed that an unknown actor had gained unauthorized access to the MOVEit server and exfiltrated certain data. The exposed data include:

  • patients' names,
  • dates of birth,
  • health insurance information,
  • provider names,
  • treatment cost information,
  • treatment-related details or diagnoses.

To address the breach's impact on affected patients, Sutter Health and Virgin Pulse have informed impacted patients through letters that contain information on available services, resources, and recommendations to monitor any potential misuse of their personal information. Additionally, a dedicated assistance line (800-628-2141) has been set up to provide support to affected individuals.

In response to this breach, Sutter Health is also offering a year of free access to Experian IdentityWorks for affected patients to help safeguard their identities.

Sutter Health reports MOVEit related data breach, exposing 800k patients