AdaptHealth breached via a social-engineered hijack of a third-party contractor's session [SINGLE-SOURCE]
From CTI Daily Brief — 2026-07-03 · published 2026-07-03 · view item permalink →
DME and home-healthcare provider AdaptHealth Corp. (Nasdaq: AHCO) filed an SEC Form 8-K (Item 1.05) on 2026-07-02 disclosing that an actor accessed its cloud-based business applications — including internal patient-management systems and document storage — through "a successful social engineering attack that compromised a user session associated with a third-party contractor" (SEC 8-K, 2026-07-02). The company received an extortion communication on 2026-06-15 and determined materiality on 2026-06-27; confirmed exfiltration includes a stored insurance-billing password file plus patient PII and PHI, though it says SSNs and payment-card data are not held in the affected systems (StockTitan filing digest, 2026-07-02). No threat-actor group is named. The session-hijack-of-a-contractor pattern echoes Scattered-Spider-style help-desk/vishing tradecraft, though the filing does not attribute.
Defender takeaway: contractor/third-party sessions into cloud EHR and document SaaS are a distinct trust boundary. Conditional Access that treats contractor accounts like staff, and long-lived session tokens not re-validated against device/location, are the exploitable gap — enforce phishing-resistant MFA plus token-theft-resistant session binding (e.g. Continuous Access Evaluation) on contractor identities, and scope CASB impossible-travel / new-device-reuse alerts specifically to guest/contractor principals.