ctipilot.ch

AdaptHealth 8-K — social-engineered third-party-contractor session hijack exposes PHI

incident · item:adapthealth-contractor-session-hijack-8k

Coverage timeline
1
first 2026-07-03 → last 2026-07-03
Briefs
1
1 distinct
Sources cited
3
2 hosts
Sections touched
1
active_threats
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-07-03CTI Daily Brief — 2026-07-03
    active_threatsFirst coverage: 8-K Item 1.05; contractor session hijack into cloud patient-management apps; insurance-billing password file + PII/PHI exfiltrated.

Where this entity is cited

  • active_threats1

Source distribution

  • sec.gov2 (67%)
  • stocktitan.net1 (33%)

Related entities

Items in briefs about AdaptHealth 8-K — social-engineered third-party-contractor session hijack exposes PHI (1)

AdaptHealth breached via a social-engineered hijack of a third-party contractor's session [SINGLE-SOURCE]

From CTI Daily Brief — 2026-07-03 · published 2026-07-03 · view item permalink →

DME and home-healthcare provider AdaptHealth Corp. (Nasdaq: AHCO) filed an SEC Form 8-K (Item 1.05) on 2026-07-02 disclosing that an actor accessed its cloud-based business applications — including internal patient-management systems and document storage — through "a successful social engineering attack that compromised a user session associated with a third-party contractor" (SEC 8-K, 2026-07-02). The company received an extortion communication on 2026-06-15 and determined materiality on 2026-06-27; confirmed exfiltration includes a stored insurance-billing password file plus patient PII and PHI, though it says SSNs and payment-card data are not held in the affected systems (StockTitan filing digest, 2026-07-02). No threat-actor group is named. The session-hijack-of-a-contractor pattern echoes Scattered-Spider-style help-desk/vishing tradecraft, though the filing does not attribute.

Defender takeaway: contractor/third-party sessions into cloud EHR and document SaaS are a distinct trust boundary. Conditional Access that treats contractor accounts like staff, and long-lived session tokens not re-validated against device/location, are the exploitable gap — enforce phishing-resistant MFA plus token-theft-resistant session binding (e.g. Continuous Access Evaluation) on contractor identities, and scope CASB impossible-travel / new-device-reuse alerts specifically to guest/contractor principals.