Virta Health Discloses Data Breach After Nearly Three-Year Undetected Intrusion
San Francisco-based digital health company Virta Health, which specializes in reversing type 2 diabetes through personalized nutrition and remote care, recently confirmed a data breach involving unauthorized access to a non-production data repository. The incident was first detected on March 24, 2026, though the breach itself occurred on or around April 10, 2023, meaning the intrusion may have gone unnoticed for nearly three years.
The discovery followed a March 23, 2026, claim by the threat actor Lapsus-Group, which posted on a public forum alleging it had obtained and planned to leak Virta Health data within six days. While Virta Health’s official notice did not reference the group, the company acknowledged unauthorized activity in a separate data repository one isolated from its primary production systems. The investigation confirmed that certain files within the repository were potentially accessed, though the company found no evidence of data misuse.
The exposed data may have included personal information, though Virta Health did not specify the types of details compromised in its public notice. The company stated that while forensic analysis could not definitively rule out unauthorized access, there were no signs of subsequent exploitation.
In response, Virta Health began mailing notification letters to affected individuals with available contact information, while those without recorded addresses were informed via a substitute notice on the company’s website. A dedicated assistance line (833-502-8832) and email (incident@virtahealth.com) were established for inquiries, operating Monday through Friday during business hours.
The company did not offer free credit monitoring or identity protection services but provided state-specific guidance for residents in California, New York, Massachusetts, Maryland, North Carolina, Oregon, Texas, and other jurisdictions, directing them to their respective attorneys general and consumer protection agencies for further support. Virta Health emphasized its commitment to data privacy but did not disclose additional details about the breach’s scope or the number of individuals affected.
Source: https://www.claimdepot.com/data-breach/virta-health-2026
Virta Health cybersecurity rating report: https://www.rankiteo.com/company/virta-health
"id": "VIR1780612136",
"linkid": "virta-health",
"type": "Breach",
"date": "4/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Digital Health',
'location': 'San Francisco, California, USA',
'name': 'Virta Health',
'type': 'Company'}],
'customer_advisories': 'Notification letters, substitute notice on website, '
'dedicated assistance line (833-502-8832) and email '
'(incident@virtahealth.com)',
'data_breach': {'personally_identifiable_information': 'Possible',
'type_of_data_compromised': 'Personal information'},
'date_detected': '2026-03-24',
'description': 'Virta Health, a digital health company specializing in '
'reversing type 2 diabetes, confirmed a data breach involving '
'unauthorized access to a non-production data repository. The '
'intrusion went undetected for nearly three years before being '
"discovered following a threat actor's claim.",
'impact': {'data_compromised': 'Personal information',
'identity_theft_risk': 'Possible',
'systems_affected': 'Non-production data repository'},
'investigation_status': 'Ongoing',
'references': [{'date_accessed': '2026-03-23',
'source': 'Public forum post by Lapsus-Group'}],
'regulatory_compliance': {'regulatory_notifications': 'State-specific '
'guidance provided for '
'residents of '
'California, New York, '
'Massachusetts, '
'Maryland, North '
'Carolina, Oregon, '
'Texas, and other '
'jurisdictions'},
'response': {'communication_strategy': 'Notification letters to affected '
'individuals, substitute notice on '
'company website, dedicated assistance '
'line and email'},
'threat_actor': 'Lapsus-Group',
'title': 'Virta Health Data Breach After Nearly Three-Year Undetected '
'Intrusion',
'type': 'Data Breach'}