Xsolis healthcare-AI vendor breach exposes 1.4M patients (7 US health systems)

Xsolis, a Tennessee-based healthcare-AI vendor supplying utilization-management software to hospitals, disclosed that a phishing-driven intrusion on 2026-01-20/22 gave an attacker access to a limited environment, exposing data on 1,396,519 patients across at least seven US health systems (HIPAA Journal, 2026-06-23; Security Affairs, 2026-06-23). Exposed data spans patient names, addresses, dates of birth, dates of service, medical record numbers, diagnosis/treatment and health-insurance information, and — for some individuals — Social Security numbers (affected patients were offered credit-monitoring / identity-theft protection); Xsolis says it contained the intrusion within ~48 hours and reports no confirmed misuse of the data as of disclosure. The ~5-month gap between intrusion (January) and broad notification (June) reflects the breach cascading through Xsolis as a HIPAA Business Associate to each covered-entity client's own notification clock.

Defender takeaway: No CH/EU victims, but the structure is the lesson for European health and public-sector buyers: a single multi-tenant processor compromise propagates exposure across every client, and phishing-to-limited-environment access points at MFA gaps on a service or staff account with repository access. The EU/CH analogues are GDPR Article 28 processor-audit duties and the 72-hour processor-to-controller notification expectation. Detection focus for any shared patient/records repository: anomalous bulk-export and off-hours query volume from service/API accounts (T1078 Valid Accounts, T1567 Exfiltration Over Web Service), and enforced phishing-resistant MFA on every account that can reach the data store.