Healthcare technology firm Xsolis has confirmed that a targeted phishing attack led to unauthorized access to its network and the exposure of sensitive information belonging to more than 1.39 million people.
The company, which provides AI‑powered software to over 600 hospitals and health insurers, said it detected suspicious activity on January 22, 2026, two days after the attack occurred. Xsolis reported that it immediately contained the incident and launched an investigation with external cybersecurity experts.
The review found that attackers accessed files containing personal data that may include names, addresses, dates of birth, health insurance details, Social Security numbers and medical treatment information. The breach was disclosed to the U.S. Department of Health and Human Services, which published the affected total at 1,396,519 individuals.
The company said it has notified law enforcement, implemented additional security measures and is sending mailed notices to potentially affected individuals. Xsolis has also set up a toll‑free call center to answer questions and provide free credit monitoring and identity‑protection services. While no threat actor has claimed responsibility, Xsolis urged those impacted to remain vigilant for identity theft or fraud.
The incident marks the third healthcare technology breach disclosed in less than a month, following recent cyber incidents at iRhythm Technologies and Novo Nordisk.
