Phishing breach at healthtech firm Xsolis exposes 1.4 million people

On 23 June 2026, Xsolis — a US-based healthcare technology company whose AI-driven software is used by hospitals and health insurers for utilization management, medical-necessity review and revenue-cycle decisions — disclosed a data breach affecting nearly 1.4 million people. As a HIPAA business associate that handles data on behalf of more than 600 health organizations, the breach makes Xsolis one of the larger business-associate incidents reported so far in 2026.

What happened

According to Xsolis, the incident stemmed from a targeted phishing attack that began on 20 January 2026 and gave an unauthorized actor access to a limited portion of its environment. The company said it detected the activity on 22 January 2026, interrupted and contained it, ended the unauthorized access, and isolated the affected hosts and user accounts before bringing in outside cybersecurity experts.

The breach was added to the US Department of Health and Human Services breach portal, where the number of affected individuals was listed as 1,396,519. No ransomware was reported deployed, and no threat actor had publicly claimed responsibility at the time of disclosure.

Impact

Xsolis said the attacker accessed files containing personal and protected health information that the company had received from its clients. The exposed data included names, dates of birth, addresses, Social Security numbers, health-insurance information and medical-treatment information. The company stated it was not aware of any actual or attempted misuse of the information as of its notice and said it was notifying affected individuals.

Why it matters

The breach is another reminder that a single successful phishing email against a healthcare vendor can expose the sensitive records of well over a million patients who never directly interacted with that company. Business associates sit on large pools of protected health information aggregated from many providers, making them attractive targets and amplifying the blast radius of even a contained intrusion. Durable identifiers such as Social Security numbers and medical histories cannot simply be reset, leaving affected patients exposed to fraud and identity theft long after remediation.

Timeline

January 20, 2026

A targeted phishing attack gives an unauthorized actor access to part of the Xsolis environment.

January 22, 2026

Xsolis detects the unauthorized activity, contains it and isolates affected hosts and accounts.

June 23, 2026

Xsolis publicly discloses the breach as it is added to the federal HHS breach portal, listing 1,396,519 affected individuals.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/healthtech-firm-xolis-suffers-data-breach-impacting-14-million-people/

securityweek.comhttps://www.securityweek.com/xsolis-data-breach-affects-1-4-million-individuals/

hipaajournal.comhttps://www.hipaajournal.com/xsolis-data-breach/

techradar.comhttps://www.techradar.com/pro/security/us-healthcare-ai-platform-xsolis-confirms-data-breach-that-affects-1-4-million-individuals

Related incidents

Credential stuffingResolvedOctober 6, 2023

23andMe credential-stuffing breach

Attackers used credentials reused from prior breaches to access 23andMe accounts, then leveraged the 'DNA Relatives' feature to scrape ancestry and genetic profile data on 6.9 million users from compromised relatives' connections.

Victim: 23andMe Holding Co.
Loss: $50.0M
Records: 6.9M

Vulnerability exploitOngoingJune 24, 2026

Cisco Unified CM SSRF flaw exploited to drop webshells (CVE-2026-20230)

Attackers began actively exploiting a critical unauthenticated server-side request forgery flaw in Cisco Unified Communications Manager, tracked as CVE-2026-20230, using the WebDialer service to write files and drop JSP webshells on enterprise telephony servers.

Victim: Cisco Unified Communications Manager

Supply chainContainedJune 19, 2026

Klue supply-chain breach exposes customers' Salesforce data

A dormant API credential let attackers compromise competitive-intelligence platform Klue and harvest OAuth tokens for customers' connected apps, exfiltrating Salesforce records from firms including Huntress and Recorded Future in a supply-chain attack later tied to the Icarus extortion group.

Victim: Klue (and customers including Huntress and Recorded Future)

RansomwareContainedJune 18, 2026

Cherry Health discloses data breach after suspected ransomware outage

Michigan's largest federally qualified health center, Cherry Health, posted a preliminary breach notice on 18 June 2026 after suspicious network activity detected in April triggered a days-long outage and the copying of patient and staff data, including Social Security numbers.

Victim: Cherry Health