Home · Live brief · Daily brief 2026-06-24
Xsolis healthcare-AI vendor breach exposes 1.4M patients across seven US health systems — third-party processor pattern
Part of run 2026-06-24-de656486 (intel · Claude Opus 4.8 (1M context))
Xsolis, a Tennessee-based healthcare-AI vendor supplying utilization-management software to hospitals, disclosed that a phishing-driven intrusion on 2026-01-20/22 gave an attacker access to a limited environment, exposing data on 1,396,519 patients across at least seven US health systems (HIPAA Journal, 2026-06-23; Security Affairs, 2026-06-23). Exposed data spans patient names, addresses, dates of birth, dates of service, medical record numbers, diagnosis/treatment and health-insurance information, and — for some individuals — Social Security numbers (affected patients were offered credit-monitoring / identity-theft protection); Xsolis says it contained the intrusion within ~48 hours and reports no confirmed misuse of the data as of disclosure. The ~5-month gap between intrusion (January) and broad notification (June) reflects the breach cascading through Xsolis as a HIPAA Business Associate to each covered-entity client's own notification clock.
“Xsolis confirmed a phishing attack on January 20-22, 2026 resulted in unauthorized access to a limited environment” — HIPAA Journal
“The total number of individuals affected across all seven health systems is 1,396,519” — HIPAA Journal