Virta Health Data Breach Exposes Patient Information

Virta Health, a San Francisco-based digital health company that specializes in reversing type 2 diabetes through personalized nutrition and remote care, disclosed a data breach involving unauthorized access to one of its data repositories.

The company identified the unauthorized activity on March 24, 2026, and posted a notice of the data event on its website to inform potentially affected individuals about the incident and share resources for safeguarding their personal information.

On March 23, 2026, a threat actor known as Lapsus-Group posted a claim on a publicly accessible website alleging it had leaked data from Virta Health. The group claimed to have obtained company data and stated it intended to publish the information within six days.

The following day, on March 24, 2026, Virta Health identified unauthorized activity limited to a data repository that was separate from the company's current production platform, according to the company's notification. The company's discovery came just one day after the threat actor's public posting, though the notification did not reference Lapsus-Group or the online claims.

The breach itself reportedly occurred on or about April 10, 2023. This means the unauthorized access may have gone undetected for nearly three years before the company identified it in March 2026.

The company's investigation determined that the breach was confined to the affected data repository and did not extend to other company systems. Certain files within the repository were potentially accessed by unauthorized parties.

According to the company's notification, "certain personal information may have been exposed." However, the specific types of personal information involved were not detailed in the public notice.

Virta Health stated that although the forensic investigation could not rule out the possibility that an unknown actor accessed the information, there was no indication that any of the information had been misused.

Virta Health's response

Virta Health began sending notification letters by mail to potentially affected individuals for whom mailing addresses were available. For individuals whose contact information was not on file, Virta Health published a substitute notice on its website. In its notice, the company described the privacy and protection of information as "a top priority."

To assist those who may have been affected, the company set up a dedicated assistance line to answer questions and address concerns about the incident. The call center can be reached at 833-502-8832, Monday through Friday from 8 a.m. to 8 p.m. Eastern Time, excluding major U.S. holidays. Individuals may also contact the company by email at incident@virtahealth.com.

In its notice, Virta Health recommended that affected individuals take proactive steps to protect their personal information. However, the notice does not mention any offer of free credit monitoring or identity protection services for those whose data may have been exposed.

The notice also included guidance for residents of several states, including California, New York, Massachusetts, Maryland, North Carolina, Oregon, Texas and others. These sections directed residents to their respective state attorneys general offices and consumer protection agencies for additional information on guarding against identity theft.