Sutter Health Breach

In May 2023, Northern-California hospital giant Sutter Health saw the personal and medical details of more than 845,000 patients siphoned off after its patient-engagement vendor Welltok (doing business as Virgin Pulse) was compromised during the massive MOVEit Transfer zero-day campaign attributed to the Cl0p ransomware gang. The trove-later uploaded to an underground breach marketplace in December 2024 at roughly 1.46 million database rows-contained highly sensitive protected-health information (PHI). 

What was exposed 

Attackers made off with full names, home addresses, phone numbers, email addresses, dates of birth, insurance-provider details, doctor names, treatment and diagnosis codes, as well as clinical metrics such as weight and blood-pressure readings-enough data to assemble a cradle-to-grave medical dossier on every affected patient. Unlike many healthcare incidents, Social Security and payment-card numbers were not in the Welltok dataset, but security experts warn that the breadth of PHI is still more than sufficient for targeted medical identity theft and extortion schemes. 

How the breach happened 

Cl0p exploited CVE-2023-34362, a zero-day in Progress Software’s MOVEit file-transfer platform, to grab data moving between Welltok and its healthcare clients during a brief window on May 30-31, 2023. Sutter Health was not alerted until September 22, when Virgin Pulse disclosed the intrusion. An internal forensic review-assisted by third-party incident-response specialists-confirmed that exfiltration occurred before the vulnerability was publicly patched. 

Ransom and leak pressure 

While Cl0p typically demands eight-figure ransoms, neither Sutter nor Virgin Pulse has acknowledged receiving a direct payment demand. Instead, patient records linked to Sutter began appearing on Cl0p’s leak site alongside dozens of other MOVEit victims, effectively holding the data hostage to public exposure unless organizations negotiated privately. 

Sutter’s disclosure-and backlash 

Sutter waited until November 3, 2023 to post a terse notice on its “Vitals” news blog and mail letters offering a single year of Experian credit monitoring. Critics lambasted the four-month disclosure delay and the limited remediation, pointing out that medical identity theft risks can persist for decades. 

Early legal fallout 

The first class-action suit-Copans v. Sutter Health & Welltok, Inc. (E.D. Cal., No. 2:23-cv-02619)-was filed on November 10, 2023, alleging negligence, breach of implied contract, and violations of California’s Confidentiality of Medical Information Act. Plaintiffs argue that Sutter failed to vet its vendor’s security controls, ignored “industry-standard patching practices,” and deprived patients of timely notice, forcing them to purchase additional credit- and identity-protection services. More complaints have since been funneled into the federal In re MOVEit Customer Data Security Breach MDL (No. 3083), where discovery will probe both Sutter’s vendor-risk management and Virgin Pulse’s MOVEit server hardening. 

Why it matters 

If the MDL survives dismissal, it could set important precedent on just how far healthcare systems must go to audit third-party vendors handling PHI and how quickly they must notify patients after a supply-chain breach. Regulators are also watching: under HIPAA, the U.S. Department of Health & Human Services can levy fines of up to $1.5 million per violation for “willful neglect” of security safeguards. With ransomware groups increasingly favoring data-theft-only campaigns against healthcare, Sutter’s MOVEit saga offers a textbook case on the cascading impact of third-party risk-and the legal, financial, and reputational costs when that risk is underestimated.