Sutter Health, a prominent healthcare provider, has recently disclosed a data breach involving one of its vendors that exposed the personal information of 845,441 patients. The breach, which occurred last spring, was attributed to a ransomware attack targeting a file transfer tool known as MOVEit.
According to a statement on Sutter Health’s website dated November 3, the compromise was discovered when Virgin Pulse, a company working in collaboration with Sutter Health to facilitate patient communication, notified them on September 22 about the impact of the ransomware attack on its systems.
Virgin Pulse reportedly responded promptly to the incident, implementing available patches, undertaking recommended mitigation measures, and launching an internal investigation with the assistance of third-party cybersecurity specialists. The focus of the investigation was to assess the potential impact of vulnerabilities on the MOVEit Transfer server and the security of data stored on its server.
Sutter Health received the final report from Virgin Pulse on October 24, revealing that an unknown actor had accessed the MOVEit server between May 30-31, 2023, and “exfiltrated certain data.”
In a letter addressed to affected patients, Sutter Health detailed the compromised information, which included names, dates of birth, health insurance details, provider names, treatment cost information, and treatment/diagnosis information. However, the health system assured that no social security numbers or financial information were affected.
To mitigate the impact on affected individuals, Sutter Health pledged to provide a year of free access to Experian IdentityWorks. Additionally, a dedicated assistance line has been established for patients seeking help, available at 800-628-2141 from 6 a.m. to 8 p.m. Pacific Time, and on Saturdays and Sundays between 8 a.m. and 5 p.m.