Hackers stole personal data of over 800k Sutter Health patients in California data breach

Cathie Anderson

November 11, 2023 at 8:30 AM·4 min read

Hundreds of thousands of Sutter Health patients are learning that they had personal information stolen as part of the same massive data breach last May that hit roughly 1.2 million CalPERS and CalSTRS retirees and more than 70 million people worldwide.

Sacramento-based Sutter said it had contracted with a Virgin Pulse subsidiary called Welltok to store, organize and track patient information, ensuring that the health care giant could provide notices and communications relevant to each patient’s needs.

Virgin Pulse initially notified Sutter Health on Sept. 22 that it had been affected by the ransomware attack that targeted the MoveIt file transfer tool that supports the exchange of data between servers, systems and applications. Sutter said the final Virgin Pulse report, which explained the extent of the intrusion, arrived on Oct. 24.

“Based on the findings of Virgin Pulse’s investigation, it is estimated the personal information of approximately 845,441 Sutter Health patients may be impacted,” Sutter reported in a Nov. 3 announcement on its website. “Importantly, Virgin Pulse can confirm social security numbers and financial information were not impacted by this incident.”

While financial data were not lost, Virgin Pulse noted in a timeline on its website that “certain health information such as a provider name, prescription name, or treatment code may have been included.”

Threat analyst Brett Callow of the cybersecurity firm Emsisoft said one of the lessons here is that people shouldn’t think they were not affected by the MoveIt data breach simply because they haven’t received word that their personal information was compromised.

“The state of Maine, yesterday I think, disclosed that pretty much everyone in the state had been affected by this,” Callow said Friday. “I don’t know quite why it’s taking so long, possibly simply because of the really unprecedented scale of this breach.”

List of MoveIt breaches grows

Welltok, in the letter sent to Sutter patients, said it had installed all published patches and security upgrades for the MoveIt transfer software, so after receiving an alert on July 26, its cybersecurity experts examined whether its system was vulnerable to the attack.

They didn’t find any compromise at that time but hired an outside cybersecurity team to check for vulnerabilities, the company stated, and using new information that had become available, they detected a site on Aug. 11 where the system had been breached.

“We subsequently undertook an exhaustive and detailed reconstruction and review of the data stored on the server at the time of this incident to understand the contents of that data and to whom that data relates,” Welltok wrote.

The Welltok data breach and hundreds of others stem from May attacks by a ransomware group known as Clop or C10p. These hackers discovered a flaw or vulnerability in the MoveIt software and punched through it, gaining access and foiling encryption protocols.

By Emsisoft’s count, 2,590 organizations have reported being victims of the hack. So far, Callow said, none of the personal information has been leaked or abused.

“There is always the potential for that to happen, of course,” Callow said, “and people should be aware of that and be cautious.”

Sutter said that Virgin Pulse had notified all affected patients with letters that explained available services, resources and recommendations for patients to monitor any potential inappropriate use of their personal information. If impacted patients have further questions, they also can call Virgin Pulse at 800-628-2141 from 6 a.m. to 8 p.m. weekdays or 8 a.m. to 5 p.m. on Saturday and Sunday. The line is not staffed on major U.S. holidays.

Other health systems affected

The MoveIt data breach affected dozens of health care systems and hospitals, including Duke University Health System, UT Southwestern Medical Center in Texas and Johns Hopkins All Children’s Hospital in Maryland.

While lawsuits have alleged that hackers could store and use the stolen consumer information years in the future, Callow said that it would be difficult to find on the dark web and even tougher to access.

“Think of the amount of forensic work that companies needed to to do work out what was taken,” he said. “It would be a similar task to try and get that data organized in some type of usable form.”

It’s unknown whether these breaches violate privacy laws in the health care industry or other consumer confidentiality laws. Lawyers, including firms representing CalPERS retirees, have filed more than 100 suits against MoveIt developer Progress Software and other organizations.

Last month, over the objection of plaintiffs’ lawyers, a multidistrict judicial panel assigned U.S. District Judge Allison Burroughs in the District of Massachusetts to oversee all the litigation. Progress Software is based in Burlington, Massachusetts.

Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Sports
Phil Mickelson on the majors: 'What if none of the LIV players played?'
Phil Mickelson hints that big changes could be coming to LIV Golf's rosters, and the majors will need to pay attention.
Yahoo Sports
Heat's Pat Riley unhappy with Jimmy Butler's remarks on Celtics and Knicks, implies he needs to play more
Miami Heat president Pat Riley rebuked comments Jimmy Butler made about the Boston Celtics and New York Knicks, while also implying that his star needs to play more.
Yahoo Sports
Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap
Jake Mintz & Jordan Shusterman discuss the Padres-Marlins trade that sent Luis Arraez to San Diego, as well as recap all the action from this weekend in baseball and send birthday wishes to hall-of-famer Willie Mays.
Yahoo Finance
Social Security just passed Medicare as the government's most pressing insolvency risk
An annual government report offered a glimmer of good news for Social Security and a jolt of good news for Medicare even as both programs continue to be on pace to run dry next decade.
Yahoo Sports
No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it
The quality was choppy, but it was better than what the WNBA had.
Yahoo Sports
NBA playoffs: Predictions for Celtics-Cavaliers and every second-round series
Our NBA staff makes its picks for Knicks-Pacers and every second-round series.
Yahoo Sports
The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024
Fantasy baseball analyst Dalton Del Don delivers his latest batch of hot takes as we enter Week 6 of the season.
Yahoo Sports
NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?
Which teams did the best in the NFL Draft?
Yahoo Sports
2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick
Yahoo Sports' Charles McDonald breaks down the Broncos' 2024 draft.
Yahoo Sports
Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race
Race organizers say they'll revoke a Trump fundraiser's suite license if he holds an event for the former president on Sunday at the race.
Yahoo Sports
The best RBs for 2024 fantasy football according to our analysts
The Yahoo Fantasy football analysts reveal their first running back rankings for the 2024 NFL season.
Yahoo Sports
Monday Leaderboard: Brooks Koepka is ready to slow the Scottie Scheffler train
A dominant LIV win and a heartbreaking PGA Tour loss headline this week's top golf stories
Yahoo Sports
Timberwolves' Rudy Gobert out for Game 2 vs. Nuggets due to birth of his child; Jamal Murray to play
Rudy Gobert may not play due to the birth of his first child.
Yahoo Sports
Fantasy Baseball Waiver Wire: 7 pickups ready to improve your squad
Andy Behrens has a fresh batch of priority adds to help give your fantasy team a boost, led by a player set to make his season debut.
Yahoo Sports
The Spin, Buy Low/Sell High hitter edition: Perfect time to test the waters with Salvador Pérez
Some key hitting performances need a trip under the magnifying glass. Fantasy baseball analyst Scott Pianowski does just that and advises managers on what to do next.
Yahoo Sports
NFL Draft grades for all 32 teams | Zero Blitz
Jason Fitz and Frank Schwab join forces to recap the draft in the best way they know how: letter grades! Fitz and Frank discuss all 32 teams division by division as they give a snapshot of how fans should be feeling heading into the 2024 season. The duo have key debates on the Dallas Cowboys, New York Giants, New Orleans Saints, Los Angeles Rams, New England Patriots, Las Vegas Raiders and more.
Yahoo Finance
CVS stock plunges after earnings numbers one analyst 'did not even believe'
CVS warns it could cede Medicare Advantage market share as reimbursement rates pressure the company.
Yahoo Sports
Victor Wembanyama wins NBA Rookie of the Year via unanimous vote after delivering on unprecedented hype
Victor Wembanyama did everything for the Spurs as a rookie.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Hackers stole personal data of over 800k Sutter Health patients in California data breach

List of MoveIt breaches grows

Other health systems affected

Recommended Stories

Former NBA guard Darius Morris dies at 33

The FDIC change that leaves wealthy bank depositors with less protection

Phil Mickelson on the majors: 'What if none of the LIV players played?'

Heat's Pat Riley unhappy with Jimmy Butler's remarks on Celtics and Knicks, implies he needs to play more

Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap

Social Security just passed Medicare as the government's most pressing insolvency risk

No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it

NBA playoffs: Predictions for Celtics-Cavaliers and every second-round series

The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024

NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?

2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick

Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race

The best RBs for 2024 fantasy football according to our analysts

Monday Leaderboard: Brooks Koepka is ready to slow the Scottie Scheffler train

Timberwolves' Rudy Gobert out for Game 2 vs. Nuggets due to birth of his child; Jamal Murray to play

Fantasy Baseball Waiver Wire: 7 pickups ready to improve your squad

The Spin, Buy Low/Sell High hitter edition: Perfect time to test the waters with Salvador Pérez

NFL Draft grades for all 32 teams | Zero Blitz

CVS stock plunges after earnings numbers one analyst 'did not even believe'

Victor Wembanyama wins NBA Rookie of the Year via unanimous vote after delivering on unprecedented hype