Cracking the Sutter Health Data Breach: What You Need to Know for Protection

On November 3, 2023, Sutter Health, a prominent not-for-profit health system headquartered in Sacramento, California, revealed a concerning incident on its website—a third-party data breach at Welltok, Inc., a Virgin Pulse company. This breach exposed sensitive information, including names and protected health information, of individuals within Sutter Health’s network. As the fallout from this security incident unfolds, it becomes crucial for affected individuals to comprehend the nature of the breach, the potential risks they face, and the actions they can take to safeguard themselves.

Did You Receive A Sutter Health Notice Letter?

Sutter Health
Did you receive notice from Sutter Health that your information was breached?
Do you still have a copy of the notice letter?

The Breach’s Origins

The Sutter Health data breach can be traced back to a vulnerability within MOVEit, a file-transfer application created by Progress Software. Virgin Pulse, the subsidiary of Welltok, Inc., which suffered the breach, was notified of this vulnerability by Progress Software on September 22, 2023. MOVEit servers across various companies were exposed to a zero-day vulnerability, allowing unauthorized access to sensitive data.

Virgin Pulse responded promptly to this notification, implementing all available patches and recommended security measures to mitigate the risk. Subsequently, the company enlisted the assistance of third-party cybersecurity specialists to conduct a comprehensive investigation.

The Investigation and Timeline

The investigation revealed that an unauthorized party successfully accessed Virgin Pulse’s MOVEit server between May 30, 2023, and May 31, 2023. During this window, the infiltrators exfiltrated certain data, potentially compromising the personal information of individuals associated with Sutter Health.

In response to this discovery, Virgin Pulse took swift action to assess the extent of the breach. The company reviewed the compromised files to identify the specific information that had been exposed and determine the individuals affected. The breached information, though varying from person to person, reportedly includes names and protected health information.

Notification and Response

Sutter Health promptly addressed the situation by posting a notice on its website on November 3, 2023, informing the public about the MOVEit breach. Concurrently, Virgin Pulse initiated the process of notifying individuals affected by the breach. Data breach notification letters were dispatched to all those whose information was compromised during the incident. These letters aim to provide victims with a comprehensive list of the specific information that may have been accessed by unauthorized parties.

Protecting Yourself in the Aftermath

If you are one of the individuals who received a data breach notification from Sutter Health or Virgin Pulse, it is imperative to understand the potential risks and take proactive measures to protect yourself. Consulting with a data breach lawyer can offer valuable insights into how to safeguard against fraud and identity theft. Legal professionals can also guide affected individuals on the available legal recourse following the Sutter Health data breach.

About Sutter Health and Virgin Pulse

Sutter Health, founded in 1921, is a not-for-profit health system renowned for its extensive network of 24 hospitals and over 200 clinics in Northern California. With more than 51,000 employees and an annual revenue of approximately $14.8 billion, Sutter Health plays a crucial role in the healthcare landscape.

Virgin Pulse, headquartered in Providence, Rhode Island, is a healthcare software company partially owned by Virgin Group, a multinational venture capital conglomerate based in London, England. With around 2,000 employees and an annual revenue of about $385 million, Virgin Pulse is a key player in the healthcare technology sector.


The Sutter Health data breach highlights the pervasive threat posed by vulnerabilities in third-party systems, emphasizing the importance of robust cybersecurity measures across interconnected networks. As affected individuals navigate the aftermath of this breach, understanding the timeline, response efforts, and potential risks becomes paramount. By staying informed and taking appropriate action, individuals can better protect themselves and mitigate the potential fallout from this unfortunate incident.