Skip to content
Data breachOngoing

AdaptHealth reports material breach of patient data after social-engineering attack

Home medical equipment provider AdaptHealth disclosed a material cybersecurity incident in which a social-engineering attack on a third-party contractor let a threat actor into its cloud systems and reach patient personal and health information.

Victim
AdaptHealth

On 2 July 2026, AdaptHealth โ€” one of the largest U.S. providers of home medical equipment and supplies, headquartered in Plymouth Meeting, Pennsylvania โ€” disclosed a material cybersecurity incident in a filing with the U.S. Securities and Exchange Commission, confirming that a threat actor had reached internal systems holding patient personal and health information. The company said the intrusion began with a social-engineering attack on a third-party contractor, whose credentials were then used to enter AdaptHealth's cloud environment.

According to the company, it first learned something was wrong on 15 June 2026, when a threat actor contacted AdaptHealth claiming to have obtained certain data from its systems. AdaptHealth activated its incident response procedures, engaged external cybersecurity advisers, and notified law enforcement. On 27 June 2026, the company determined that the incident was material given the nature and potential volume of the data at risk, and it filed a Form 8-K disclosing the matter in early July.

What was accessed

AdaptHealth said the attacker gained unauthorised access to several of its cloud-based business applications, including certain internal patient management systems and document storage platforms, and confirmed that external electronic health record system portals were accessed. The data implicated includes passwords associated with insurance billing along with personally identifiable information and protected health information of patients. The company cautioned that the full scope of the affected data sets had not yet been determined and that it could not yet quantify the volume of data involved.

Threat actor

AdaptHealth did not name an attacker in its regulatory filing. Subsequent reporting indicated that the data-theft and extortion group ShinyHunters had added AdaptHealth to its leak site and threatened to publish the stolen data unless a ransom was paid โ€” a claim consistent with the group's 2026 pattern of extortion against large enterprises, though AdaptHealth has not publicly confirmed the attribution.

Why it matters

The breach is a textbook example of how attackers increasingly reach protected health information not by defeating a hospital's defences directly but by compromising a trusted third party and riding valid credentials into cloud systems. Because the exposed material spans billing passwords, PII, and PHI across patient management and EHR portals, affected individuals face a durable risk of medical-identity fraud and targeted phishing, and AdaptHealth faces the prospect of regulatory scrutiny under U.S. health-privacy rules once the forensic review establishes how many people were affected.

Timeline

  1. A threat actor contacts AdaptHealth claiming to have obtained data from its systems, prompting the company to activate its incident response procedures.

  2. AdaptHealth determines the incident is material given the nature and potential volume of data at risk.

  3. AdaptHealth discloses the incident to the U.S. Securities and Exchange Commission in a Form 8-K filing.

Sources

  1. theregister.comhttps://www.theregister.com/security/2026/07/03/adapthealth-crooks-stole-our-passwords-patient-health-data/5266512
  2. hipaajournal.comhttps://www.hipaajournal.com/adapthealth-data-breach/
  3. sec.govhttps://www.sec.gov/Archives/edgar/data/0001725255/000110465926080297/ahco-20260627x8k.htm
  4. stocktitan.nethttps://www.stocktitan.net/sec-filings/AHCO/8-k-adapt-health-corp-reports-material-event-80512081bbc7.html

Related incidents