Xsolis disclosed a breach affecting 1.4M people after a phishing attack exposed personal and health data from its hospital clients’ systems.
Healthcare tech company Xsolis, Inc. has disclosed a data breach impacting nearly 1.4 million individuals. The Tennessee-based firm provides utilization management and revenue cycle solutions for healthcare providers.
The company became aware of an unauthorized access on January 22, following a phishing attack two days earlier. The security breach exposed personal and protected health information received from Xsolis’s hospital and payer clients.
“On January 22, 2026, Xsolis became aware of unauthorized activity impacting a limited portion of the Xsolis environment resulting from a targeted phishing attack on January 20, 2026. We immediately contained the activity and launched an investigation with the assistance of external cybersecurity experts.” reads the notice for Data Security Incident, “The investigation determined that an unauthorized actor acquired certain files containing information that, depending on the individual, may include names, addresses, date of birth, health insurance information, Social Security numbers, and medical treatment information. We are not aware of any actual or attempted misuse of information because of this incident.”
Attackers accessed files containing personal and protected health information provided by the company’s clients, including names, dates of birth, addresses, Social Security numbers, health insurance details, and medical treatment records.
The company launched an investigation into the incident, reported it to law enforcement, and implemented additional security safeguards to prevent similar events in the future. Xsolis is notifying potentially affected individuals by mail, providing details of the breach along with guidance on how to protect their information, including access to free credit monitoring and identity protection services.
A toll-free call center has also been established to assist affected individuals, answer questions, and support enrollment in protection services.
Individuals are advised to stay alert for identity theft and fraud by regularly reviewing credit reports, account statements, and explanation of benefits for suspicious activity or errors. Under U.S. law, they can obtain one free credit report annually from each major bureau, TransUnion, Experian, and Equifax.
They may also place free fraud alerts on their credit files, with extended alerts available for identity theft victims for up to seven years. Alternatively, individuals can request a credit freeze at no cost, which restricts access to credit, loans, and services without explicit consent.
The company did not provide technical details about the securiyt breach or the number of the impacted individuals. However, the US Department of Health and Human Services (HHS) reported that the number of affected individuals is 1,396,519.
At this time, no known ransomware group claimed the attack.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Xsolis)
