On June 30, 2023, Vitality Group International, Inc. (“Vitality”) filed a notice of data breach with the Attorney General of Vermont on behalf of Ambry Genetics and REALM IDX (“Ambry”) after discovering that a file transfer software used by Vitality contained a critical vulnerability. Because of this vulnerability, an unauthorized party was able to access confidential consumer information that was provided to Vitality by Ambry and REALM IDx. In Vitality’s notice, the company explains that the incident resulted in an unauthorized party being able to access Ambry employees’ sensitive information, including their names, Social Security numbers, work email addresses, genders, dates of birth, and home addresses. Upon completing its investigation, Vitality Group began sending out data breach notification letters on behalf of Ambry to all employees who were affected by the recent data security incident.

If you received a data breach notification from Vitality Group International, Inc., it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the Vitality Group International data breach. For more information, please see our recent piece on the topic here.

What Caused the Breach Affecting Ambry Genetics and REALM IDx?

The Vitality Group / Ambry Genetics data breach was only recently announced, and more information is expected in the near future. However, Vitality Group’s filing with the Attorney General of Vermont provides some important information on what led up to the breach.

According to this source, Ambry and REALM IDx have Vitality Group provide the companies with certain services, requiring Ambry and REALM IDx to provide Vitality with personal information about its employees. Vitality uses a file-transfer software called MOVEit, which was created by Progress Software, LLC.

On May 30, 2023, Progress Software discovered a zero-day vulnerability that allowed hackers to access information that was transferred using MOVEit. A zero-day vulnerability is one that the creator of the software had no idea existed until it was exploited by hackers, giving them “zero days” to fix it. Thus, by the time Progress Software discovered the vulnerability, hackers were already able to exploit it.

After Vitality identified the vulnerability, it temporarily disabled MOVEit and launched an investigation, ultimately concluding that the MOVEit vulnerability allowed an unauthorized party to access confidential information belonging to Ambry and REALM IDx employees.

After learning that sensitive consumer data was accessible to an unauthorized party, Vitality Group International reviewed the compromised files to determine what information was leaked and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, work email, gender, date of birth, and home address.

On June 30, 2023, Vitality Group International sent out data breach letters on behalf of Ambry and REALM IDx to all employees who were affected by the incident.

More Information About Ambry Genetics and REALM IDx

Founded in 1999 and based in Aliso Viejo, California, Ambry Genetics is a healthcare services company that provides clinical genetic diagnostics and genetics software solutions for medical facilities. Some of the company’s tests are used for screening and diagnosis of exome, epilepsy, cancer, cardiovascular disease, and neurodevelopmental disorders. Ambry Genetics is part of the larger healthcare diagnostics company REALM IDx, which is also based in Aliso Viejo, California. Ambry Genetics employs more than 900 people and generates approximately $303 million in annual revenue.