Healthcare Tech Firm Xsolis Reports Data Breach Affecting 1.4 Million After Phishing Attack

NASHVILLE, Tenn. (AP) — Healthcare technology company Xsolis disclosed a data breach affecting approximately 1.4 million individuals following an unauthorized access event that began with a phishing attack in January.

The incident was discovered on June 23, 2026, when the Tennessee-based firm notified affected parties and regulatory bodies of the compromise. The breach involved personal files containing protected health information (PHI) acquired by threat actors who exploited employee credentials obtained through social engineering tactics.

Xsolis confirmed that attackers gained unauthorized access to its systems on January 20, 2026, after a staff member responded to a fraudulent email message designed to mimic legitimate corporate communications. The intrusion allowed the perpetrators to download and exfiltrate sensitive data before security teams detected anomalies in system logs.

The compromised information includes names, dates of birth, Social Security numbers, medical record identifiers, and health insurance details for patients across multiple states who received services through Xsolis clients or partners. While no financial account numbers were confirmed as part of the breach, individuals are advised to monitor their credit reports and consider identity theft protection measures.

Company executives stated that immediate containment actions were taken once the intrusion was identified in early June. Forensic investigators have been engaged to assess the full scope of data exposure and determine whether additional records may require notification under federal privacy laws governing healthcare information security.

State attorneys general offices in several jurisdictions where affected individuals reside are reviewing Xsolis’ compliance with breach disclosure timelines mandated by state statutes. Federal regulators, including representatives from the Department of Health and Human Services Office for Civil Rights, have opened an inquiry into whether proper safeguards were maintained prior to the incident.

Xsolis has not yet identified the specific threat group responsible for the attack or determined if ransom demands were made during negotiations with insiders who may have facilitated access. The company is offering complimentary credit monitoring services to all impacted individuals as part of its remediation efforts.

Legal experts note that this breach highlights ongoing vulnerabilities in healthcare technology infrastructure, where third-party vendors often serve as conduits for large-scale data exposures without direct clinical involvement. Questions remain regarding whether similar phishing campaigns targeted other entities within the same supply chain network or if Xsolis’ internal controls were sufficient to prevent lateral movement once initial access was achieved.

As investigations continue, patients and providers relying on Xsolis systems are urged to report any suspicious activity related to their personal health records. The company has pledged full cooperation with law enforcement agencies pursuing the perpetrators behind what officials describe as one of the largest healthcare data compromises in recent years.