Xsolis, a healthtech company, has reported a significant data breach impacting 1.4 million individuals. (Illustrative AI-generated image).
- The Breach in Brief
- How the Phishing Attack Happened
- What Data Was Taken?
- Who Is Affected and What Xsolis Is Doing
- The Maine Notification Portal Shutdown
Healthcare technology company Xsolis has confirmed that a phishing attack allowed hackers to break into its computer network and steal sensitive information belonging to nearly 1.4 million people.
The breach, which the company says it discovered in late 2024 but only disclosed publicly in early 2025, is one of the larger healthcare data incidents reported this year. It has also triggered a separate problem in Maine, where state officials had to shut down their data breach notification portal after someone used information from the Xsolis attack to file fake disclosures.
Xsolis, based in Brentwood, Tennessee, works with over 500 hospitals across the United States. The company uses artificial intelligence to help health systems manage patient care and handle billing. Because of that role, the company holds a mix of personal details and medical records.
Here is what we know so far about the incident and what it means for people who may be affected.
The Breach in Brief
Nearly 1.4 million individuals had their information compromised in this attack. That number includes both patients whose data Xsolis processed on behalf of hospitals and some of the company’s own employees.
The attack itself was a phishing campaign. Phishing is a type of online scam where criminals send emails that look legitimate to trick people into clicking a link or opening an attachment. Once the recipient does that, the attacker can steal passwords or install malicious software that gives them access to the victim’s computer network.
According to Xsolis’s notification to affected individuals, the phishing email appeared to come from a trusted source. At least one employee clicked on it, and that gave the attackers a foothold inside Xsolis’s systems.
The company did not say exactly when the phishing email arrived. But it stated in its breach notice that it detected unusual activity on its network in late 2024. An investigation followed, and Xsolis determined in early 2025 that the attackers had actually gained access earlier than initially realized.
Xsolis has not said whether the attackers demanded a ransom. Ransomware attacks, where criminals lock up a company’s files and demand payment to unlock them, are common in healthcare. But many phishing attacks lead to data theft without any ransom demand. The company said it is still investigating the full scope of what was taken.
The breach disclosure was first reported by BleepingComputer, a cybersecurity news site, after Xsolis began sending out notifications to affected individuals.
How the Phishing Attack Happened
Phishing attacks remain one of the most common ways that hackers break into companies. They are simple to launch and often work because they exploit human trust rather than technical weaknesses.
In this case, the attackers sent an email that looked like it came from a colleague or a trusted vendor. It likely included a link to a fake login page that mimicked a real website. When the employee typed their username and password, the attackers captured those credentials.
Once inside, the attackers moved through Xsolis’s network. Security experts call this “lateral movement.” The intruders searched for databases containing valuable data, such as patient records and employee files.
Xsolis has not disclosed exactly which security measures were in place at the time of the attack. The company said it has since “implemented additional security measures” and is reviewing its policies. That is standard language in breach notifications, but it suggests that the company believes its defenses were not strong enough to stop this attack.
Many healthcare companies have struggled to protect against phishing. The healthcare industry has been a prime target for years because the data is highly sensitive and can be used for identity theft, insurance fraud, or extortion.
Xsolis did not reveal whether the employee who fell for the phishing email had received any cybersecurity training. Experts say regular training can help reduce the risk, but no training is perfect. Even large tech companies with sophisticated security departments have seen employees fall for phishing emails.
What matters now is what the attackers did with the access they gained. Based on the information Xsolis has shared, the intruders were able to copy files containing personal information before their activity was detected.
What Data Was Taken?
The stolen data includes both personal identifiers and health information. According to Xsolis’s notification, the attackers obtained names, addresses, dates of birth, Social Security numbers, and medical record numbers. They also obtained health insurance information and clinical data such as diagnoses, treatment codes, and lab results.
That combination of information is dangerous. With a name, Social Security number, and date of birth, a criminal can open new credit accounts, file fraudulent tax returns, or obtain medical services in someone else’s name. Medical identity theft can be especially hard to clean up because it involves correcting records with healthcare providers and insurance companies.
For employees of Xsolis, the stolen data likely includes payroll information such as bank account details for direct deposit. Xsolis said it is offering affected individuals free credit monitoring and identity theft protection services.
The company has not said exactly how many data fields were stolen per person. For some individuals, only a name and medical record number may have been taken. For others, the full set of information may have been copied.
It is also not clear whether the attackers stole all of the data they accessed. Sometimes hackers copy only a portion of the files they can reach. But given the size of the breach, it is likely that the attackers spent enough time inside the network to extract a significant amount of information.
Xsolis said in its notification that it has not seen evidence that the stolen data has been used for fraud or identity theft. But it warned affected individuals to remain vigilant and monitor their accounts for suspicious activity.
Who Is Affected and What Xsolis Is Doing
The breach affects roughly 1.4 million individuals. Most of them are patients whose data was processed by Xsolis as part of its work with hospitals. A smaller number are current and former employees of Xsolis.
Xsolis began mailing notifications to affected individuals in early 2025. The notifications include a description of what happened, what information was involved, and what steps the company is taking in response.
As part of its response, Xsolis said it has contacted law enforcement. The company did not name which agencies are involved. It is common for healthcare data breaches to be reported to the Federal Bureau of Investigation and the Department of Health and Human Services Office for Civil Rights.
The company has also hired an outside cybersecurity firm to help with the investigation. That firm is working to determine exactly how the attackers got in, what they accessed, and whether any data was deleted or modified.
For affected individuals, Xsolis is offering one year of free credit monitoring through a service called Cyberscout. People can also request a free credit freeze with the three major credit reporting agencies. A credit freeze prevents anyone from opening new accounts in your name without your permission.
Xsolis has set up a dedicated phone number and website for people with questions. The company recommends that anyone who believes their information was stolen should contact their bank and health insurance provider.
There is no indication yet that the attackers are actively trying to use the stolen data. But that could change. Stolen medical data is often sold on underground forums, where it can be bought by other criminals who then use it for fraud months or even years later.
The Maine Notification Portal Shutdown
This breach has an unusual twist that has nothing to do with the initial attack. Maine’s data breach notification portal was temporarily shut down after someone used information from the Xsolis breach to file fake breach notifications.
Maine requires companies that experience a data breach to file a notice with the state attorney general’s office if the breach affects Maine residents. The state operates an online portal for companies to submit these notices.
According to a BleepingComputer report, someone filed fake notifications that appeared to come from legitimate companies but actually used stolen information from the Xsolis breach to create the appearance of additional breaches. This type of attack is sometimes called “notification fraud.” It can be used to confuse regulators, hide the real scope of a breach, or cause legal trouble for the companies listed as having filed notices.
Maine officials said they disabled the portal after discovering the fake filings. It is not clear how long the portal was down or when it will be back online. The state has not released specific details about which companies were impersonated or how many fake notices were submitted.
This secondary incident shows that data breaches can have ripple effects beyond the initial loss of information. The same stolen data that allows criminals to commit identity theft can also be used to file fraudulent government documents, including legal notices.
For Xsolis, the Maine incident adds another layer of complication. Even though the company did not file the fake notices, the breach of its systems made those fraudulent filings possible.
What This Means for Healthcare Cybersecurity
The Xsolis breach is the latest in a long string of attacks on healthcare companies. According to the Department of Health and Human Services, healthcare data breaches have been rising steadily for years. Phishing is the most common way attackers gain access.
Healthcare companies are attractive targets because they hold large amounts of sensitive data and often have weaker cybersecurity than banks or tech firms. They also operate under tight budgets, which can make it hard to invest in the latest security tools.
Many hospitals and health systems rely on third-party vendors like Xsolis to handle data. But those vendors can be a weak link. If a vendor is hacked, the hospitals and patients who trusted them are also exposed.
Regulators have taken notice. The Office for Civil Rights, which enforces health data privacy laws under HIPAA, has increased fines for breaches that it considers preventable. In 2024, the agency issued several multimillion-dollar fines to healthcare companies that failed to protect patient data.
The Xsolis breach could lead to additional scrutiny of how healthcare technology companies manage cybersecurity. It may also push more hospitals to require their vendors to meet strict security standards before they can handle patient data.
For patients, this breach is a reminder that their personal and medical information is held not just by their doctor’s office but by many companies that work behind the scenes. That data can be exposed even if they never directly interacted with Xsolis.
What Happens Next
Xsolis said it will continue its investigation with the help of outside experts and law enforcement. The company has not set a timeline for completing that investigation.
Affected individuals should expect to receive a notification letter in the mail if they have not already. The letter will include details about which of their data fields were exposed and how to enroll in credit monitoring.
People who believe they may be affected but have not received a letter can contact Xsolis directly. The company’s breach response page includes a phone number and an email address for questions.
Over the next several weeks, more details may emerge about the attack. It is possible that the attackers will release some of the stolen data online, either to prove they have it or to pressure Xsolis into paying a ransom. If that happens, the affected individuals could face an increased risk of identity theft.
On the regulatory side, the Office for Civil Rights will likely investigate the breach and may issue fines if it finds that Xsolis failed to take reasonable steps to prevent a phishing attack. The company could also face lawsuits from affected individuals. Class-action lawsuits are common after large data breaches.
For the broader healthcare industry, this incident serves as another warning. Phishing attacks are not going away. Companies that handle sensitive health data need to invest in training, technology, and incident response plans to reduce the risk of a breach. For the 1.4 million people caught up in this attack, the wait to see if their information is misused is just beginning.
Frequently Asked Questions
What happened in the data breach at Xsolis?
Xsolis, a healthtech company, experienced a data breach due to a phishing attack. Hackers gained access to their network and stole sensitive information from nearly 1.4 million people.
How did the hackers get into Xsolis's network?
The attackers used a phishing campaign, sending fake emails that appeared to be from a trusted source. An employee clicked on a malicious link in one of these emails, which allowed the hackers to access the company's systems.
What kind of information was stolen in the breach?
The stolen data includes personal identifiers like names, addresses, dates of birth, and Social Security numbers. It also includes health information such as medical record numbers, insurance details, diagnoses, and treatment information.
Who was affected by this data breach?
Nearly 1.4 million individuals were affected. This includes patients whose data Xsolis processed for hospitals, as well as some of Xsolis's own employees.
When did the Xsolis data breach occur and when was it disclosed?
Xsolis discovered unusual activity on its network in late 2024. The company determined the breach happened earlier than initially thought and publicly disclosed the incident in early 2025.
What is Xsolis doing to help those affected?
Xsolis is offering affected individuals free credit monitoring and identity theft protection services. They have also stated they are implementing additional security measures and reviewing their policies.
Has the stolen data been used for fraud yet?
Xsolis has not seen any evidence that the stolen data has been used for fraud or identity theft. However, they are continuing to investigate the full scope of what was taken and how it might be used.
