The California Office of the Attorney General disclosed a data breach affecting **Sutter Health**, a major healthcare provider, on **November 3, 2023**. The incident originated on **May 30, 2023**, when an **unidentified threat actor exploited a vulnerability in the MOVEit Transfer server**, a third-party file transfer tool used by the organization. The attacker successfully **exfiltrated sensitive personal data**, including **patient names and other personally identifiable information (PII)**. While the breach exposed confidential records, **no evidence of misuse or further malicious activity (e.g., financial fraud, identity theft, or ransom demands) has been reported** as of the disclosure.The breach highlights vulnerabilities in third-party software supply chains, which cybercriminals increasingly target to access high-value data. Sutter Health, which operates a network of hospitals and medical facilities, likely faced **operational and reputational risks** due to the exposure of patient data, though the immediate financial or systemic impact appears contained. The incident aligns with broader trends in healthcare cyberattacks, where **protected health information (PHI) remains a prime target** for exploitation in underground markets or follow-on attacks. Regulatory scrutiny and potential compliance penalties (e.g., under HIPAA) may follow, given the sensitive nature of the compromised data.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-576106
TPRM report: https://www.rankiteo.com/company/sutter-health
"id": "sut004091825",
"linkid": "sutter-health",
"type": "Breach",
"date": "5/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'California, USA',
'name': 'Sutter Health',
'type': 'Healthcare Provider'}],
'attack_vector': 'Exploitation of MOVEit Transfer Server Vulnerability',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'Moderate (personal information)',
'type_of_data_compromised': ['Personal data', 'Names']},
'date_detected': '2023-05-30',
'date_publicly_disclosed': '2023-11-03',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Sutter Health on November 3, 2023. The '
'breach occurred on May 30, 2023, when an unknown actor '
'accessed the MOVEit Transfer server and exfiltrated personal '
'data, including names and other personal information, though '
'no evidence of misuse has been reported.',
'impact': {'data_compromised': ['Names', 'Other personal information'],
'identity_theft_risk': 'Potential (no evidence of misuse reported)',
'systems_affected': ['MOVEit Transfer server']},
'initial_access_broker': {'entry_point': 'MOVEit Transfer server '
'vulnerability'},
'investigation_status': 'Ongoing (no evidence of misuse reported as of '
'disclosure)',
'post_incident_analysis': {'root_causes': ['Exploitation of unpatched MOVEit '
'Transfer vulnerability']},
'references': [{'date_accessed': '2023-11-03',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA (Health '
'Insurance Portability and '
'Accountability Act) '
'violations'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'threat_actor': 'Unknown',
'title': 'Sutter Health MOVEit Transfer Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'MOVEit Transfer (CVE-2023-34362 or related)'}