AdaptHealth Reports Material Cyber Incident Involving Patient Data
The home medical equipment supplier AdaptHealth has notified the U.S. Securities and Exchange Commission (SEC) about a recent cybersecurity incident involving unauthorized access to patient data.
AdaptHealth supplies home medical equipment nationwide and partners with hospitals, physician practices, and insurance companies to provide medical equipment such as continuous glucose monitors, oxygen therapy equipment, CPAP machines, mobility equipment, orthotics, and other medical supplies.
As a publicly traded company, AdaptHealth is required to notify the SEC about any material cybersecurity incidents. While the cyberattack has not impacted its operations or its ability to serve patients, the incident is considered material due to the extent to which patient data has been exposed.
AdaptHealth services around 1.7 million patients annually in all 50 states, so a data breach has the potential to involve a considerable amount of sensitive data. The incident is still under investigation, so the extent of data theft has yet to be determined. In its Form 8-K filing, AdaptHealth explained that a hacker was able to compromise a user session associated with a third-party contractor and obtained the user’s credentials in a social engineering attack. AdaptHealth received a communication from the hacker on June 15, 2026, alleging its systems had been compromised, and data had been exfiltrated from its network.
AdaptHealth confirmed exfiltration of stored password files associated with insurance billing and external EHR system portals, which contained patients’ protected health information. The incident was rapidly contained, the affected user account was disabled, and additional access controls have now been implemented to prevent further unauthorized access.
The investigation into the incident is ongoing, with assistance provided by third-party cybersecurity and digital forensics specialists. AdaptHealth said it has taken steps to mitigate the risk of the dissemination of the exfiltrated data. That suggests that it has negotiated with the hacker and paid a ransom, although AdaptHealth has not confirmed whether that was the case.
It is currently not possible to tell whether the incident will have any material impact on its financial position. The company holds a cyber insurance policy, which it expects will cover at least some of the costs associated with the attack.
