SSM Health Care and Sutter Health Data Breach Exposes Patient Records

Healthcare data breach illustration
Breach Discovery: Not Publicly DisclosedBreach Notification: 26th May 2026

What Happened in the SSM Health and Sutter Health Data Breach?

Two members of the cybercrime group known as Scattered Spider have pleaded guilty to criminal charges connected to a string of cyberattacks, including intrusions against U.S. healthcare providers SSM Health Care Corporation and Sutter Health. The SSM Health Sutter Health data breach stems from attacks that occurred in September 2024, according to court proceedings held in the United Kingdom.

Owen Flowers, 18, of Walsall, admitted to being part of a conspiracy to hack into the two healthcare organizations. His guilty plea came on the first day of a trial that was expected to last six weeks. Flowers also pleaded guilty, alongside 20-year-old Thalha Jubair, to unauthorized computer access charges tied to a separate 2024 attack on Transport for London.

Jubair is also wanted by U.S. law enforcement. Prosecutors in New Jersey unsealed an indictment in September 2025 accusing him and other Scattered Spider members of carrying out 120 computer network intrusions against 47 U.S. entities between May 2022 and September 2025. As a result of these intrusions, victims reportedly paid at least $115 million in ransom payments.

Scattered Spider has been linked to a wide range of cyberattacks over the past several years. The group has used voice phishing, SMS phishing, and SIM-swapping techniques to steal employee credentials and gain unauthorized access to corporate networks. Investigators say this pattern of social engineering played a role in the healthcare intrusions as well.

Who was affected?

The SSM Health Sutter Health data breach may affect patients of both healthcare systems. SSM Health operates hospitals and clinics across the Midwest, while Sutter Health serves patients throughout Northern California. Because both organizations handle sensitive medical and personal information, patients of either provider could be affected.

The exact number of individuals affected by these intrusions hasn’t been publicly disclosed. However, given the scale of Scattered Spider’s broader campaign, which prosecutors say touched dozens of U.S. entities, the potential patient impact could be significant.

In addition to patients, employees of these healthcare organizations may also be at risk. Scattered Spider has a documented history of targeting employee credentials directly through phishing and SIM-swapping schemes. Therefore, staff members could also have had personal information exposed as part of these intrusions.

What Information Was Potentially Exposed?

Court filings and law enforcement statements have not detailed the exact categories of data taken from SSM Health and Sutter Health. However, because Scattered Spider’s healthcare intrusions typically target systems holding patient and employee records, the following types of information are commonly at risk in attacks of this nature:

  • Patient names and contact information
  • Medical record numbers
  • Health insurance information
  • Treatment and diagnosis details
  • Employee login credentials
  • Other personally identifiable information tied to patient or staff accounts

When healthcare data is exposed, the risks can be serious. Medical identity theft can lead to fraudulent insurance claims filed in a patient’s name. In addition, exposed personal details can fuel targeted phishing attempts and broader identity theft schemes. Because health records often contain a mix of financial and medical details, victims may face both financial and medical fraud risks simultaneously.

What is the company doing?

Neither SSM Health nor Sutter Health has issued detailed public statements describing their remediation steps in the source material reviewed for this report. However, the criminal case against Flowers and Jubair shows that law enforcement agencies in both the UK and the U.S. have been actively investigating the intrusions since at least 2024.

As a result of the guilty pleas, Flowers and Jubair are scheduled to be sentenced in a London court on July 15, 2026. Meanwhile, U.S. prosecutors continue to pursue related charges against other alleged Scattered Spider members, including individuals still awaiting trial in the United States.

Because this case remains under active legal proceedings, further details about specific notification efforts or protective services offered to affected patients may emerge as the situation develops. Individuals concerned about their exposure should watch for official communications directly from SSM Health or Sutter Health.

What Should Affected Individuals Do?

Monitor Your Credit Reports

Anyone who may have been affected by the SSM Health Sutter Health data breach should regularly check their credit reports for unfamiliar accounts or inquiries. You can request free credit reports from the three major credit bureaus. Reviewing these reports often helps catch fraudulent activity early, before it causes lasting financial damage.

Watch for Phishing Attempts

Because Scattered Spider frequently uses phishing and impersonation tactics, affected individuals should be cautious of unexpected emails, texts, or phone calls claiming to be from healthcare providers or financial institutions. Never click on links or provide personal information in response to unsolicited messages. Instead, contact the organization directly using a verified phone number or website.

Consider a Fraud Alert or Credit Freeze

If you believe your personal information was exposed, placing a fraud alert or credit freeze on your credit file can add an extra layer of protection. A fraud alert requires lenders to verify your identity before opening new credit. A credit freeze goes further by blocking access to your credit report entirely until you lift it, which makes it harder for identity thieves to open accounts in your name.

Protect Against Medical Identity Theft

Because this breach involves healthcare providers, patients should review their medical records and insurance statements closely. Look for any treatments, prescriptions, or claims you don’t recognize. If you spot suspicious activity, report it to your healthcare provider and insurance company right away, since medical identity theft can be harder to detect and resolve than standard financial fraud.

Stay Informed and Seek Legal Guidance

As this case continues to develop, affected individuals should stay alert for updates from SSM Health, Sutter Health, or regulatory agencies. If you discover that your personal or medical information was misused, consulting a data breach attorney can help you understand your legal options. Many attorneys offer free case evaluations to help victims determine whether they qualify for compensation.



More Information

Official data breach notification from Washington State Attorney General

Related Data Breaches