Nearly 1.4 million people are affected by a healthcare data breach involving Xsolis, a technology vendor that helps hospitals and health insurers review patient care.
Xsolis has confirmed that an unauthorized actor acquired files containing personal and protected health information, and the incident is now listed on the US Department of Health and Human Services’ public breach portal. HHS lists the breach as affecting 1,396,519 people.
You may never deal with Xsolis directly, but your health data might.
January intrusion began with targeted phishing
Xsolis traced the incident to a targeted phishing attack on Jan. 20, 2026, and said it discovered suspicious activity two days later that affected a limited portion of its systems.
After detecting the intrusion, the company said it cut off unauthorized access, isolated affected hosts and user accounts, engaged external cybersecurity experts, and notified law enforcement.
Investigators later found that the attacker acquired a limited number of files during the access period. The company said it has not detected further unauthorized activity since Jan. 22.
Stolen files contained health and identity data
The files taken from the company’s systems contained information that varied by person, according to Xsolis.
Names, addresses, dates of birth, health insurance information, Social Security numbers, and medical treatment information were among the data categories involved.
More than 600 hospitals and organizations use the vendor’s Dragonfly platform, though the attack has not been linked to all of them. Mayo Clinic, Legacy Health, Rochester Regional Health, and UW Medicine have confirmed patient impact from the breach.
Xsolis said it is not aware of any actual or attempted misuse related to the incident. Even so, identity details can be used in fraud attempts. Insurance and treatment information can also reveal details connected to care, billing, and benefits.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Xsolis strengthens security and offers monitoring
Following the incident, Xsolis said it took several steps to strengthen security, including:
- resetting passwords for all users and key accounts
- increasing system monitoring
- deploying new protective technology
- completing the rollout of updated security measures
- accelerating annual security training
- strengthening processes for managing credentials and responding to future incidents
The company is offering eligible people who receive notification letters 12 months of identity-monitoring services through Kroll at no cost. For adults, the offer includes credit monitoring, fraud consultation, and identity theft restoration. Separate notices for minors include minor identity monitoring.
Password resets and stronger credential processes can reduce the chance that compromised access remains usable. Heavier monitoring gives security teams a better shot at catching unusual activity before an intrusion deepens.
Related reading: Novo Nordisk has confirmed a security incident after hackers claimed to have stolen 1.3 TB of sensitive company data.