Skip to main content 
Morgan & Morgan’s industry-leading data privacy attorneys are investigating the recent Sutter Health data breach, where sensitive personal information may have been exposed to an unauthorized individual.
Hundreds of thousands of Sutter patients are learning that they had personal information stolen as part of a massive data breach last May that hit roughly 1.2 million CalPERS and CalSTRS retirees and more than 70 million people worldwide.
We are investigating the following:
- how Sutter acquired the sensitive information;
- whether Sutter should have had the sensitive information;
- whether and, if so, why Sutter stored this sensitive information in an Internet-accessible environment;
- whether Sutter encrypted the sensitive information;
- whether Sutter deleted sensitive information it no longer had a reasonable need to retain;
- whether Sutter implemented appropriate and adequate security measures to protect the sensitive information; and
- whether Sutter has provided affected individuals adequate protection and compensation for any harm they have experienced as a result of the data breach.
Sacramento-based Sutter said it contracted with a Virgin Pulse subsidiary, Welltok, to store, organize, and track patient information, ensuring that the healthcare giant could provide notices and communications relevant to each patient’s needs.
Virgin Pulse initially notified Sutter Health on September 22 that it had been affected by the ransomware attack that targeted the MoveIt file transfer tool that supports the exchange of data between servers, systems, and applications. Sutter said the final Virgin Pulse report, which explained the extent of the intrusion, arrived on October 24.
“Based on the findings of Virgin Pulse’s investigation, it is estimated the personal information of approximately 845,441 Sutter Health patients may be impacted,” Sutter reported in a November 3 announcement on its website. “Importantly, Virgin Pulse can confirm this incident did not impact Social Security numbers and financial information.”
While financial data were not lost, Virgin Pulse noted in a timeline on its website that “certain health information, such as a provider name, prescription name, or treatment code, may have been included.”
If you received a data breach notification and would like to discuss it with an attorney, we are available at 855.696.0024.
We place significant trust in the companies we choose to share our information with, and that trust is betrayed when such data breaches occur on a company’s watch. If you suspect that your information was exposed in the Sutter Health data breach, Morgan & Morgan is here to help. Contact us today for a free case evaluation.