This week, the Vitality Group (“Vitality”) filed a notice of data breach with the Attorney General of Massachusetts on behalf of GuidePoint Security after discovering that a file transfer software used by Vitality contained a critical vulnerability. As a result of this vulnerability, an unauthorized party was able to access certain GuidePoint Security employees’ sensitive information, which includes their names, Social Security numbers, mailing addresses and dates of birth. Upon completing its investigation, Vitality began sending out data breach notification letters to all GuidePoint employees whose information was affected by the recent data security incident.
If you received a MOVEit data breach notification from the Vitality Group, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft as well as discuss your legal options following the Vitality data breach. For more information, please see our recent piece on the topic here.
What Caused the Vitality Group / GuidePoint Breach?
The Vitality / GuidePoint data breach was only recently announced, and more information is expected in the near future. However, Vitality’s filing with the Attorney General of Massachusetts provides some important background information about how the incident occurred.
According to this source, Vitality provides certain employee-wellness services to GuidePoint. This required GuidePoint to give Vitality certain confidential information about its employees.
As a part of its business operations, Vitality uses a file-transfer software called MOVEit. MOVEit was created by Progress Software, LLC. On May 30, 2023, Progress Software announced a critical vulnerability in the MOVEit software that allowed hackers to access information stored on its client’s MOVEit servers.
Vitality identified the vulnerability on June 1, 2023, at which point, Vitality disconnected the MOVEit software from its server. This eliminated the risk of future unauthorized access. However, upon further investigation, Vitality determined that an unauthorized party was able to access confidential information belonging to GuidePoint employees.
After learning that sensitive consumer data was accessible to an unauthorized party, Vitality reviewed the compromised files to determine what information was leaked and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, mailing address and date of birth.
More recently, Vitality sent out data breach letters on behalf of GuidePoint to anyone who was affected by the recent data security incident. So, while the Vitality / GuidePoint data breach did not involve hackers gaining access to any of GuidePoint’s systems, it did result in confidential GuidePoint employee information being made accessible to an unauthorized party through a vulnerability in the MOVEit software.
More Information About GuidePoint Security and the Vitality Group
Founded in 2011, GuidePoint Security is a security software company based out of Herndon, Virginia. The company provides customized cybersecurity solutions to commercial and government clients. GuidePoint Security employs more than 722 people and generates approximately $839 million in annual revenue.
Founded in 2005, Vitality Group International, Inc. is a software company headquartered in Chicago, Illinois. Vitality created a mobile platform that provides health and wellness updates in real-time, encouraging its customers’ employees to prioritize their health through incentives, data and behavioral science. Vitality’s software is used by more than 30 million people in 40 markets across the world. Vitality Group employs more than 359 people and generates approximately $99 million in annual revenue.
