Xsolis healthcare-AI vendor breach exposes 1.4M patients across seven US health systems — third-party processor pattern

Xsolis, a Tennessee-based healthcare-AI vendor supplying utilization-management software to hospitals, disclosed that a phishing-driven intrusion on 2026-01-20/22 gave an attacker access to a limited environment, exposing data on 1,396,519 patients across at least seven US health systems (HIPAA Journal, 2026-06-23; Security Affairs, 2026-06-23). Exposed data spans patient names, addresses, dates of birth, dates of service, medical record numbers, diagnosis/treatment and health-insurance information, and — for some individuals — Social Security numbers (affected patients were offered credit-monitoring / identity-theft protection); Xsolis says it contained the intrusion within ~48 hours and reports no confirmed misuse of the data as of disclosure. The ~5-month gap between intrusion (January) and broad notification (June) reflects the breach cascading through Xsolis as a HIPAA Business Associate to each covered-entity client's own notification clock.