Sutter Health announces ransomware attack that exposed personal information of patients
SACRAMENTO - The personal information of potentially hundreds of thousands of patients at Sutter Health was exposed during a ransomware attack on one of its vendors earlier this year, Sutter Health announced on its website.
Sutter Health says it uses a vendor, a Virgin Pulse company, to operate an online contact-management platform that allows the hospital to notify patients and members with notices.
Virgin Pulse estimated about 845,000 Sutter Health patients could be affected by the attack, according to Sutter Health. They did say social security numbers and financial information were not impacted.
On Sept. 22, Virgin Pulse notified Sutter Helth about the ransomware attack.
"Virgin Pulse confirmed it moved quickly to apply available patching, undertook recommended mitigation steps and launched an internal investigation, with the assistance of third-party cybersecurity specialists, to determine the potential impact of the vulnerabilities' presence on the MOVEit Transfer server and the security of data housed on its server," Sutter Health says in a statement on its website.
During the investigation, Virgin Pulse found someone accessed a file transfer tool called MOVEit between May 30 and May 31. Sutter Health said some data was exfiltrated.
The final report of the investigation was provided to Sutter Health on Oct. 24. Sutter Health posted information online on Nov. 3.
Customers impacted by the data breach should have been notified by Virgin Pulse by mail. Anyone who was impacted can call Virgin Pulse at (800) 628-2141 between 6 a.m. and 8 p.m. during the week and between 8 a.m. and 5 p.m. on the weekends.