Sutter Senior Care

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Sutter Senior Care, a division of Sutter Health in Northern California, experienced a data breach due to a global exploit of a file transfer tool called MOVEit, which was used by their vendor, Cognisight, LLC. Cognisight provides specialized healthcare management services and was responsible for transferring protected health information as required by the Centers for Medicare & Medicaid Services[1][4].

The breach was discovered on May 31, 2023, when Cognisight learned of the MOVEit exploit. They immediately stopped access to MOVEit and conducted a forensic investigation, which was completed on June 5, 2023. It was determined that files had been taken from the MOVEit server, and Sutter Senior Care was notified on June 27, 2023. A review of the files was completed by July 12, 2023, revealing that protected health information had been impacted[1].

The compromised information included names, dates of birth, Social Security numbers, health information such as treatment information or diagnosis, provider information, and patient identification numbers. While there was no indication that the information had been misused, affected individuals were notified and provided with resources to protect themselves, including credit monitoring and identity protection services[1][4].

Cognisight filed a notice of data breach with the Attorney General of California on behalf of Sutter Senior Care on July 22, 2023. Data breach notification letters were sent to all individuals whose information was affected by the incident[4].

This incident is part of a larger breach that affected multiple healthcare providers and resulted in the exposure of personal information for 845,000 patients of Sutter Health[2][12]. The MOVEit software vulnerability was reportedly present in software versions dating back to 2021, and the breach occurred over five months before patients were notified, which may have violated state and federal laws[14].

Affected individuals were advised to take steps to protect their personal information, such as placing a fraud alert or a security freeze on their credit file, and to regularly review their credit reports and financial statements for any suspicious activity[1].

Citations:

  1. https://oag.ca.gov/system/files/Final%20Letter%20Template.pdf
  2. https://original.newsbreak.com/@golden-gate-media-1351221/3225600350177-data-breach-exposes-personal-info-for-845-000-patients-of-prominent-california-healthcare-provider
  3. https://www.sacbee.com
  4. https://www.jdsupra.com/legalnews/cognisight-files-notice-of-data-breach-2510879/
  5. https://www.torrancememorial.org
  6. https://www.myinjuryattorney.com/cognisight-sutter-senior-care-data-breach-investigation/
  7. https://www.centredaily.com
  8. https://www.hipaajournal.com/sutter-senior-care-allegheny-county-moveit-transfer/
  9. https://www.sf.gov/departments/department-public-health
  10. https://potterhandy.com/sutter-senior-care-data-breach-lawsuit
  11. https://www.nvsos.gov/sos
  12. https://www.sacbee.com/news/local/health-and-medicine/article281713003.html
  13. https://www.workingadvantage.com
  14. https://www.prnewswire.com/news-releases/privacy-alert-sutter-health-and-welltok-under-investigation-for-data-breach-of-845-000-patient-records-301993936.html
  15. https://www.bain.com
  16. https://www.kcra.com/article/sutter-health-vendor-data-breach-moveit/45807041
  17. https://skillbridge.osd.mil/locations.htm
Breach Submission Date Jul 22, 2023
Converted Entity Name Sutter Senior Care
Converted Entity Type Healthcare Provider
State CA
Individuals Affected 519
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes