Virta Health Provides Update on Security Incident and Ongoing Efforts to Protect Personal Information
Virta Health Corp. and Virta Medical PC (collectively referred to as “Virta Health”), a leader in technology-enabled healthcare services, has issued a substitute notice regarding a recent cybersecurity incident that may have involved access to certain personal information. The organization is providing details about the event, the actions taken in response, and the resources available to potentially affected individuals.
Protecting the privacy and security of patient and customer information remains a fundamental priority for Virta Health. The company emphasized that it responded swiftly upon discovering unusual activity and has taken significant measures to strengthen safeguards and support those who may have been impacted.
According to Virta Health, the incident was identified on March 24, 2026, when the company detected unauthorized activity involving a data repository that was separate from its active production platform. Upon discovering the activity, Virta Health immediately launched its incident response protocols, secured the affected environment, and began a comprehensive investigation to determine the nature and extent of the event.
To ensure a thorough review, the company engaged independent cybersecurity specialists with expertise in digital forensics and incident response. These external experts worked alongside internal teams to analyze the circumstances surrounding the incident, assess potential exposure of information, and identify any vulnerabilities that may have been exploited. Law enforcement authorities were also notified as part of the company’s response efforts.
The investigation determined that the activity was confined to a specific data repository and did not involve Virta Health’s current production systems. However, investigators found that certain files stored within the repository may have been accessed by an unauthorized individual. As a result, some personal information contained within those files could have been exposed.
Although forensic specialists conducted an extensive review, they were unable to definitively rule out the possibility that an unknown actor accessed the information contained in the affected files. At the same time, investigators found no evidence indicating that any personal information has been misused, fraudulently exploited, or distributed as a result of the incident. Nevertheless, Virta Health is notifying affected individuals out of an abundance of caution and in accordance with applicable legal and regulatory requirements.
Following the completion of the investigation and data review process, Virta Health began contacting individuals whose information may have been involved and for whom valid mailing addresses were available. These notifications are intended to provide transparency regarding the incident and to help individuals understand any steps they may wish to take to further protect their personal information.
Cybersecurity incidents continue to present challenges across many industries, including healthcare, where organizations manage large volumes of sensitive information. Healthcare providers and digital health companies are increasingly investing in advanced security technologies and monitoring systems to detect and respond to potential threats. Virta Health noted that it takes these responsibilities seriously and has implemented additional measures designed to enhance the protection of information and reduce the likelihood of similar incidents occurring in the future.
As part of its response, the company reviewed existing security controls, strengthened monitoring capabilities, and evaluated additional safeguards to further protect its systems and data assets. While the investigation remains focused on understanding every aspect of the incident, Virta Health stated that the security of personal information remains central to its operations and long-term strategy.
The company is also encouraging individuals to remain vigilant by reviewing account statements, monitoring credit reports, and promptly reporting any suspicious activity to relevant financial institutions or authorities. While there is currently no indication that personal information has been misused, maintaining awareness and regularly monitoring personal accounts are considered best practices following any potential data exposure event.
To assist those who may have questions about the incident, Virta Health has established a dedicated support center staffed with representatives trained to address concerns and provide additional information. The assistance line is available Monday through Friday from 8:00 a.m. to 8:00 p.m. Eastern Time, excluding major U.S. holidays.
In addition to telephone support, individuals may submit questions or request further The company has indicated that representatives are prepared to help explain the nature of the incident, discuss available resources, and respond to concerns regarding personal information.
Virta Health has also published detailed information regarding the event through a dedicated notice available on its website. The notice provides updates about the incident, answers to frequently asked questions, and guidance for individuals interested in taking additional precautions to safeguard their information.
The organization emphasized that transparency remains a key component of its response. By communicating openly about the incident and providing support resources, Virta Health aims to ensure that affected individuals have access to timely and accurate information.
While investigations into cybersecurity incidents can often be complex and require extensive forensic analysis, Virta Health stated that it remains committed to cooperating with law enforcement authorities and cybersecurity experts as needed. The company will continue evaluating security practices and implementing enhancements designed to strengthen data protection across its environment.
Industry experts note that proactive notification and comprehensive incident response measures are critical elements of responsible cybersecurity management. Rapid containment efforts, independent forensic reviews, law enforcement coordination, and clear communication with affected individuals are among the steps commonly recommended following the discovery of unauthorized access activity. Virta Health indicated that its response was guided by these principles and focused on protecting the interests of patients, customers, and stakeholders.
As digital healthcare services continue to expand, organizations face evolving cybersecurity risks that require ongoing vigilance and investment. Virta Health acknowledged the importance of maintaining robust defenses and adapting security programs to address emerging threats. The company stated that it remains dedicated to preserving trust by continually strengthening its security posture and safeguarding sensitive information entrusted to its care.
Although there is currently no evidence that the potentially exposed information has been used improperly, Virta Health recognizes that news of a security incident may cause concern for affected individuals. The company expressed regret for any inconvenience, uncertainty, or anxiety resulting from the event and reaffirmed its commitment to supporting those impacted.
Virta Health concluded by emphasizing that the privacy, confidentiality, and security of personal information remain among its highest priorities. Through ongoing monitoring, enhanced security measures, transparent communication, and dedicated customer support, the company intends to continue protecting the information of the individuals it serves while working to prevent similar incidents in the future.
About
Virta Health has responded proactively to a security incident involving a separate data repository by securing affected systems, conducting a comprehensive investigation, engaging independent cybersecurity experts, and notifying potentially impacted individuals. While there is no evidence of misuse of personal information, the company remains committed to transparency, enhanced security measures, and providing support resources to help individuals protect their data.
