Cyber Incident Victim: Vitality Group International

On or around May 28, 2023, a previously unknown vulnerability, referred to as a zero-day, was exploited in the MOVEit file transfer software utilized by Vitality Group International, Inc. This software was employed by the company to transmit files containing confidential consumer information. The exploitation of this vulnerability provided an unauthorized third party with access to the company's systems. The specific initial attacker actions and the exact method of intrusion were not detailed in the available information, but the compromise was facilitated by this security flaw in the third-party application.

Vitality Group became aware of the vulnerability in the MOVEit software subsequent to its exploitation. The company launched an immediate investigation to determine the nature and scope of the incident. As a primary containment measure, Vitality shut down access to the affected server to prevent further unauthorized access. The investigation process involved a forensic analysis to understand how the vulnerability was leveraged and to identify which systems and data were impacted. Through this investigation, Vitality was able to confirm that the hackers had accessed and exfiltrated certain files from its network. The files were removed by the unauthorized party, confirming a data exfiltration event.

The compromised files were reviewed by Vitality Group to ascertain the specific types of consumer information that were accessed and stolen. The analysis determined that the breached data varied from individual to individual but consistently included sensitive personal and health information. The confirmed data elements involved in the breach were names, dates of birth, and health information. The company did not publicly specify the number of individuals affected by this incident, but the scope was significant enough to warrant formal regulatory notification.

On June 22, 2023, Vitality Group International filed a formal notice of data breach with the Attorney General of Montana. This filing served as the public confirmation of the security incident and its link to the MOVEit vulnerability. The same day, the company began the process of directly notifying all individuals whose information was determined to be affected by the data breach. This was accomplished by sending out data breach notification letters via postal mail. These letters were intended to inform victims about the incident and were stated to provide each recipient with a list of the specific information belonging to them that was compromised.

The impact of the incident was the exposure of highly sensitive personal health information. The combination of names, dates of birth, and health information creates a significant risk of identity theft and various forms of fraud for the affected consumers. Such data is highly valued by cybercriminals who may use it themselves to commit fraud or sell it to other malicious actors on illicit marketplaces. The exposure of health information carries particular weight, as it can be used for medical identity theft or insurance fraud, and is often considered among the most sensitive categories of personal data. The breach affected consumers associated with Vitality Group, a company that provides a health and wellness mobile platform used by a global user base.

Vitality Group International, Inc. is a healthcare software company founded in 2005 and based in Chicago, Illinois. The company's platform provides real-time health and wellness updates and uses incentives, data, and behavioral science to encourage users to prioritize their health. Its software is used by more than 30 million people across 40 global markets. The company employs more than 359 people and generates approximately $99 million in annual revenue. The incident involved a third-party software tool, MOVEit, which was integral to the company's file transfer operations, indicating that the attack targeted a specific system within its infrastructure rather than its primary wellness application. The company's response included investigation, containment through server isolation, analysis of breached data, and compliance with regulatory notification requirements.