Healthcare system and provider.
In late May 2023, the Cl0p ransomware gang exploited a zero-day in Progress Software’s MOVEit Transfer platform (CVE-2023-34362) to steal data from Sutter Health’s patient-engagement vendor Welltok (Virgin Pulse) during a May 30-31 window. The exposure affected roughly 845,441 Sutter patients and included names, addresses, phone numbers, emails, dates of birth, insurance-provider details, doctor names, diagnosis/treatment codes, and clinical metrics such as weight and blood pressure; Social Security and payment-card numbers were not included. Sutter was notified on September 22, 2023 and disclosed on November 3, 2023. The data later appeared on Cl0p’s leak site and an underground marketplace (about 1.46 million database rows in December 2024). This was a supply-chain/vendor breach, not a direct compromise of Sutter systems.
ObscureIQ assessment: Severe risk. Exposure enables identity theft, medical fraud, insurance abuse, and targeted scams exploiting care relationships or treatment status.
Although Social Security and payment-card numbers were not in the Welltok dataset, the exposure of names, addresses, dates of birth, insurance and provider details, and diagnosis/treatment codes plus clinical metrics assembled a comprehensive medical dossier on roughly 845,000 patients. That breadth of PHI supports targeted medical identity theft, insurance fraud, and extortion, and the incident became a leading example of third-party vendor risk in healthcare.
Sutter Health is a large not-for-profit integrated health system based in Sacramento, California, operating hospitals, clinics, and physician networks across Northern California and serving millions of patients. It maintains patient identity, clinical, insurance, and billing records across its facilities and works with third-party vendors for patient-engagement and administrative services.
Integrated health systems collect patient identity, contact, insurance, billing, appointment, and clinical records across hospitals, clinics, and administrative operations.
The patient data was exposed not through a direct attack on Sutter but via its patient-engagement vendor Welltok (Virgin Pulse) during the 2023 MOVEit zero-day campaign. Sutter disclosed the incident on November 3, 2023 and offered one year of credit monitoring; it was criticized for the roughly four-month delay. Litigation (Copans v. Sutter Health & Welltok) was consolidated into the federal In re MOVEit MDL.
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Attribution and method are based on available breach intelligence. Reported attack vector: Web Application Exploit.
If you believe your information may be included:
In late May 2023, the Cl0p ransomware gang exploited a zero-day in Progress Software’s MOVEit Transfer platform (CVE-2023-34362) to steal data from Sutter Health’s patient-engagement vendor Welltok (Virgin Pulse) during a May 30-31 window. The exposure affected roughly 845,441 Sutter patients and…
Verified fields include Clinical Metrics, Date of Birth, Doctor Name, Email Address, Full Name, Health Insurance, Medical Diagnosis, Phone Number, Physical Address.
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Every claim on this page is traceable. This breach draws on:
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation