Sutter Health 2023 Data Breach

Sutter Health MOVEit Vendor Breach (2023): 845K Patient Records Including Medical Diagnoses Exposed via Welltok | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Cl0pWeb Application ExploitMedicalClinical MetricsDate of BirthDoctor NameEmail AddressFull NameHealth InsuranceMedical Diagnosis
High SeverityWebsite / service breach

Sutter Health MOVEit Vendor Breach (2023): 845K Patient Records Including Medical Diagnoses Exposed via Welltok

Healthcare system and provider.

Verified by ObscureIQ Intelligence
65/100Breach Risk Index
40Data Value
25Market Recency
581dSince Breach

Breach Intelligence Summary

Entity: Sutter Health · Actor: Cl0p · Sources: 2 references
Attack: Web Application Exploit
Profile: Healthcare provider · Hospital and clinical care services · Integrated health system · USA
Timeline: Breach (2023-05-31) · Year (2023)
Exposure: 845K records · 9 fields: Clinical Metrics, Date of Birth, Doctor Name, Email Address, Full Name, Health Insurance, Medical Diagnosis, Phone Number, Physical Address
Status: Confirmed

Executive Summary

In late May 2023, the Cl0p ransomware gang exploited a zero-day in Progress Software’s MOVEit Transfer platform (CVE-2023-34362) to steal data from Sutter Health’s patient-engagement vendor Welltok (Virgin Pulse) during a May 30-31 window. The exposure affected roughly 845,441 Sutter patients and included names, addresses, phone numbers, emails, dates of birth, insurance-provider details, doctor names, diagnosis/treatment codes, and clinical metrics such as weight and blood pressure; Social Security and payment-card numbers were not included. Sutter was notified on September 22, 2023 and disclosed on November 3, 2023. The data later appeared on Cl0p’s leak site and an underground marketplace (about 1.46 million database rows in December 2024). This was a supply-chain/vendor breach, not a direct compromise of Sutter systems.

ObscureIQ assessment: Severe risk. Exposure enables identity theft, medical fraud, insurance abuse, and targeted scams exploiting care relationships or treatment status.

Breach Impact

Although Social Security and payment-card numbers were not in the Welltok dataset, the exposure of names, addresses, dates of birth, insurance and provider details, and diagnosis/treatment codes plus clinical metrics assembled a comprehensive medical dossier on roughly 845,000 patients. That breadth of PHI supports targeted medical identity theft, insurance fraud, and extortion, and the incident became a leading example of third-party vendor risk in healthcare.

About Sutter Health

Sutter Health is a large not-for-profit integrated health system based in Sacramento, California, operating hospitals, clinics, and physician networks across Northern California and serving millions of patients. It maintains patient identity, clinical, insurance, and billing records across its facilities and works with third-party vendors for patient-engagement and administrative services.

Why They Hold Your Data

Integrated health systems collect patient identity, contact, insurance, billing, appointment, and clinical records across hospitals, clinics, and administrative operations.

Recent Developments

The patient data was exposed not through a direct attack on Sutter but via its patient-engagement vendor Welltok (Virgin Pulse) during the 2023 MOVEit zero-day campaign. Sutter disclosed the incident on November 3, 2023 and offered one year of credit monitoring; it was criticized for the roughly four-month delay. Litigation (Copans v. Sutter Health & Welltok) was consolidated into the federal In re MOVEit MDL.

Data Points Exposed

9 verified field types
Clinical Metrics
Date of Birth High
Doctor Name
Email Address
Full Name High
Health Insurance
Medical Diagnosis Critical
Phone Number
Physical Address High

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Medical identity fraud and insurance abuse using diagnosis, treatment, and insurance data
  • Targeted extortion using clinical metrics and diagnosis codes
  • Identity verification bypass using name + date of birth
  • Targeted phishing and vishing referencing providers or treatment
  • Doxxing and physical targeting from exposed home addresses
Threat vectors:
  • Medical extortion, insurance fraud & discrimination
  • Identity verification bypass
  • Name-based social engineering
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat

Threat Actor: Cl0p

Cl0p
Web Application Exploit

Attribution and method are based on available breach intelligence. Reported attack vector: Web Application Exploit.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.

Frequently Asked Questions

What happened in the Sutter Health breach?

In late May 2023, the Cl0p ransomware gang exploited a zero-day in Progress Software’s MOVEit Transfer platform (CVE-2023-34362) to steal data from Sutter Health’s patient-engagement vendor Welltok (Virgin Pulse) during a May 30-31 window. The exposure affected roughly 845,441 Sutter patients and…

What data was exposed?

Verified fields include Clinical Metrics, Date of Birth, Doctor Name, Email Address, Full Name, Health Insurance, Medical Diagnosis, Phone Number, Physical Address.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation