Virta Health Data Breach Lawsuit Investigation
Received a March 2026 breach notice from Virta Health?
Dapeer Law, P.A. is investigating a potential class action against Virta Medical PC (Virta Health), a San Francisco based digital health company that treats type 2 diabetes and other metabolic conditions through telemedicine, on behalf of patients whose Social Security numbers and medical information may have been exposed in the March 2026 cyber incident.
Who may qualify
You may be eligible to participate in a class action if any of the following applies:
- You received a data breach notification letter from Virta Health dated March 2026.
- Your letter offered enrollment in complimentary credit monitoring services.
- You had personal or medical information held by Virta Health in its capacity as a digital healthcare provider.
- No proof of harm required to consult with counsel. You do not need to have already suffered identity theft to explore your legal options.
- Excluded: individuals who did not receive a breach notice and whose information was not involved in the incident.
Not sure if you qualify?
Send us your notice, we'll confirm your eligibility at no cost.
What happened
According to Virta Health's notice to the California Attorney General, the company detected unauthorized activity on March 24, 2026 in a data repository that was separate from its production platform. Virta says it secured the environment, launched an investigation with outside cybersecurity experts, and notified law enforcement. The investigation found that certain files in the repository were potentially accessed during a three day window between March 19 and March 22, 2026.
Virta Health reported the incident to the California Attorney General on June 12, 2026 and began mailing notice letters to affected individuals on June 17, 2026, nearly three months after the suspicious activity was discovered. The notice states that the exposed files may have contained names, Social Security numbers, dates of birth, dates of medical service, medical diagnoses and treatment details, medical record numbers, physician or facility information, and other unique health identifiers. The company is offering complimentary credit monitoring and says it has found no evidence of misuse to date.
Because the reported data set combines Social Security numbers with detailed medical information, affected patients may face an elevated risk of identity theft and medical fraud. Health records carry a high value on illicit markets, and our investigation is evaluating whether Virta Health's data security practices met the standards required of healthcare providers under HIPAA and applicable state laws.
What to do if you received a letter
Keep your notice letter
Do not discard it. Your letter contains the enrollment code for credit monitoring and is important evidence if you decide to participate in a lawsuit.
Enroll in the complimentary credit monitoring
Enroll in the credit monitoring offered in your letter before the stated deadline. Accepting this benefit does not waive your right to pursue legal action.
Place a fraud alert or credit freeze
Contact Equifax, Experian, and TransUnion to place a fraud alert or freeze on your file. Request a free weekly credit report from AnnualCreditReport.com, and use the FTC's IdentityTheft.gov recovery guide.
Speak with a data breach attorney
Consultations with Dapeer Law are free and confidential. We'll review your notice, explain your options, and advise whether you may be eligible to join a class action.
Submit your notice for a free review
Two minutes online. A licensed attorney reviews every submission.
Breach timeline
Compensation you may be entitled to
Out-of-pocket expenses
Credit freezes, identity restoration services, and other costs incurred responding to the breach.
Time spent monitoring
Hours spent reviewing accounts, disputing fraudulent charges, and dealing with identity theft issues.
Identity theft & fraud losses
Unreimbursed funds stolen from accounts, unauthorized credit lines, or tax refund fraud tied to the breach.
Statutory damages
Certain state data breach and consumer protection statutes provide for fixed damages regardless of actual loss.
Injunctive relief
Court orders requiring Virta Health to implement stronger data security practices going forward.
Compensation categories depend on applicable state law, the types of data exposed, and documented losses. No recovery is guaranteed.
Common questions
I received a data breach letter from Virta Health. What should I do? +
Keep your notice letter, enroll in the complimentary credit monitoring before the deadline, consider placing a fraud alert or security freeze with the credit bureaus, and review your medical and financial statements for unfamiliar activity. Because medical information was involved, also watch for unexpected bills, explanation of benefits statements, or collection notices for care you did not receive. You can contact a data breach attorney to discuss your options at no cost.
Am I eligible to join a class action against Virta Health? +
If you received a breach notice from Virta Health dated June 17, 2026, you may be eligible. Factors that can affect a claim include your state of residence, the categories of information exposed in your individual letter, and whether you have experienced any identity theft, fraud, or out of pocket losses.
How much money could I receive from a class action lawsuit? +
Data breach class action recoveries vary significantly. Settlements typically range from a few hundred dollars for basic out-of-pocket losses to several thousand dollars for documented identity theft, with class size, damages, and negotiation all affecting the final amount. No payout is guaranteed, and this investigation has not yet resulted in a settlement.
What personal information was exposed in the breach? +
Virta Health's notice reports that the affected files may have contained names, Social Security numbers, dates of birth, dates of medical service, medical diagnoses and treatment details, medical record numbers, physician or facility information, and other unique health identifiers. The specific data involved can vary by individual, so check your own letter for the details that apply to you.
Did Virta Health offer free credit monitoring? +
Yes. Virta Health is offering complimentary credit monitoring, with enrollment instructions and an activation deadline provided in the notice letter. The duration and provider were not specified in the public notice. Enrolling does not waive your right to pursue legal claims.
How many people were affected by the Virta Health breach? +
Virta Health has not publicly disclosed the total number of affected individuals as of June 2026. This page will be updated as more information becomes available from the California Attorney General filing or other sources.
Is there a deadline to take legal action? +
Yes. Statutes of limitations for data breach claims vary by state and legal theory, typically ranging from one to six years. Waiting can permanently bar your claim. Contact us as soon as possible for a free evaluation.
How do I get a copy of the official breach notice? +
A redacted copy of the notice was filed with the California Attorney General and is available through its data breach notification portal. Dapeer Law can also help you obtain a copy of the notice during a free consultation.
Sources & references
- Official breach notice filing · California Attorney General, Data Breach Notice (PDF)
- Company · Virta Medical PC (Virta Health) (virtahealth.com)
- Credit bureau freezes · Equifax · Experian · TransUnion
- Free weekly credit reports · AnnualCreditReport.com
- Identity theft recovery guide · FTC IdentityTheft.gov
Don't let the deadline decide for you. Submit your claim today.
You only have a limited window to act. Our team will review your notice, explain your options, and tell you whether you may be eligible to recover compensation, at no cost to you.
