Xsolis Data Breach Affects Almost 1.4 Million Patients

The healthcare AI platform provider Xsolis has announced a major data breach in which the protected health information of almost 1,.4 million patients was exposed. Xsolis, a Tennessee-based healthcare technology company, provides AI-based utilization management and revenue cycle management solutions to hospitals, health systems, and payers. In June, the company disclosed a data security incident stemming from a phishing attack.

Unauthorized access was identified on January 22, 2026, and the forensic investigation determined that a threat actor had gained access to internal files two days earlier, after an employee responded to a phishing attempt. The threat actor obtained credentials that permitted access to files containing names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance information.

It is unclear how many of the company’s clients have been affected by the incident. They have been notified, and some, such as Mayo Clinic, have issued their own notifications. According to the Mayo Clinic announcement, it was notified by Xsolis on April 23, 2026, that patient data was exposed in the incident.

When Xsolis announced the incident, it was unclear how many individuals had been affected. The data breach had been reported to regulators, but the HHS’ Office for Civil Rights had yet to add the data breach to its data breach portal. The incident has now been added and shows that the electronic protected health information of 1,396,519 individuals was exposed in the incident.

It is currently unclear whether this was a data theft and extortion incident or if ransomware was involved. No threat actor has claimed responsibility for the incident, and there appears to have been no data leak. Xsolis said it is unaware of any misuse of patient data as a result of the incident at the time of issuing notifications.

The breach was significant and ranks as one of the largest of the year to date. It is one of six data breaches affecting more than 1 million individuals to be reported so far this year. There have been a slew of data breaches affecting business associates recently. Business associates are attractive targets for hackers, as they store large volumes of sensitive data and an attack on a business associate may give the attacker easy access to the networks of their healthcare clients.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

According to recent research conducted by the managed IT and security service vendor Omega Systems, 85% of the 200 healthcare respondents to its survey had experienced a third-party vendor breach in the past 12 months. Concerningly, 24% of respondents admitted to not knowing their vendors’ network security posture.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/