Almeida Law Group is investigating a data breach at Virta Medical PC. The breach occurred on March 19th, 2026 and was discovered on an unspecified date. If you were affected, contact Almeida Law Group.
About Virta Medical PC
Virta Medical PC is a clinic and group practice entity registered in Georgia that operates as part of Virta Health Corp., a privately held digital health company headquartered in Denver, Colorado. Virta Health provides virtual care for individuals with type 2 diabetes, prediabetes, and obesity, delivering medical services through a telehealth model. Because the breach involved patients who enrolled in or received Virta’s services, the exposed data includes sensitive health and personal identifying information.
What Happened?
Virta Medical PC was listed in a California Attorney General sample breach notice filed June 12th, 2026. According to the notice letter, on March 24th, 2026, Virta Health identified unauthorized activity limited to a data repository separate from its current production platform. The investigation determined that certain files in that repository were potentially accessed between March 19th, 2026 and March 22nd, 2026. The exposed information included first and last name, Social Security number, date of birth, date of medical service, medical diagnosis information, physician or medical facility information, medical condition or treatment information, medical record number, and other unique health identifiers. The total number of individuals affected has not been publicly disclosed. Virta stated there is no indication that any information has been misused at this time, and it is offering 12 months of complimentary single-bureau credit monitoring to affected individuals.
The Lapsus$ threat group publicly claimed responsibility for the attack on March 23rd, 2026 — one day before Virta Health detected the unauthorized activity. One third-party source reports the initial unauthorized access may date back to April 2023, suggesting a potential multi-year detection gap, though the California AG notice letter states the access window was March 19th, 2026 through March 22nd, 2026; this discrepancy between sources has not been resolved. A proposed class action lawsuit, Koenemann v. Virta Health Corporation, was filed in the U.S. District Court for the District of Colorado in April 2026, alleging the company failed to adequately safeguard patients’ personal and medical information. Law firms Shamis & Gentile P.A. and Migliaccio & Rathod LLP have separately announced investigations into the breach on behalf of affected individuals.
Key Facts at a Glance
- Company or Organization: Virta Medical PC (and Virta Health Corp.)
- Industry: Healthcare / Telehealth / Digital Therapeutics
- Location: Denver, Colorado (Virta Health Corp.); Virta Medical PC registered in Georgia
- Incident type: Unauthorized access to a data repository
- Date of breach: March 19th, 2026
- Date breach discovered: March 24th, 2026
- Date of consumer notification: June 17th, 2026
- Identity theft protection offered: 12 months of single-bureau credit monitoring, credit report, and credit score services through CyberScout
- Enrollment deadline: 90 days from June 17th, 2026
- Prior breach: None found in available sources
- Litigation status: Koenemann v. Virta Health Corporation, proposed class action filed in U.S. District Court for the District of Colorado, April 2026; investigations announced by Shamis & Gentile P.A. and Migliaccio & Rathod LLP
- Source: California Attorney General sample breach notice; HIPAA Journal; Law360; ClaimDepot
What Should You Do?
If you received a notice from Virta Health, enroll in the complimentary credit monitoring service at bfs.cyberscout.com/activate within 90 days of June 17th, 2026 using the unique code provided in your letter. Because Social Security numbers and health information were exposed, you should also consider placing a fraud alert or credit freeze with the three major credit bureaus — Equifax, Experian, and TransUnion. Review your credit reports for any unfamiliar accounts or activity at AnnualCreditReport.com. Since medical information was involved, carefully review your Explanation of Benefits statements and medical records for any services you did not receive, and report any suspicious activity to your health insurer. If you suspect identity theft has already occurred, visit IdentityTheft.gov to report it and get a personalized recovery plan.
Your Legal Rights
If your personal or health information was involved in this breach, you may have legal rights depending on the facts of the incident and the law in your state. Almeida Law Group represents consumers in data breach and privacy litigation and can help you evaluate whether you may have a claim. Contact us at (708) 529-5418 or through our contact page for a free case evaluation.
