SecurityJuly 3, 20267 min read

What to Do After the Xsolis Data Breach

SC

By Sarah Chen

Head of Privacy Research

What to Do After the Xsolis Data Breach

Don't want to do this by hand? We remove your info from 100+ broker sites automatically.

In January 2026, Xsolis, a Tennessee-based healthtech company that provides AI-powered case and utilization management solutions to healthcare providers, was hit by a targeted phishing attack that exposed the protected health information of nearly 1.4 million patients. If you received care from a healthcare provider that uses Xsolis, your most sensitive personal and medical data may be at risk. Here's what you need to know and what to do about it.

What Happened

Between January 20 and January 22, 2026, an unauthorized third party gained access to a limited portion of the Xsolis environment through a targeted phishing attack. An employee was tricked into revealing credentials, giving attackers access to systems containing sensitive patient data.

Xsolis identified the unauthorized activity on January 22 and contained the breach, terminating unauthorized access. The incident was reported to the U.S. Department of Health and Human Services' Office for Civil Rights as affecting 1,396,519 individuals.

What Data Was Exposed

The breach potentially compromised some of the most sensitive categories of personal information:

  • Names and dates of birth
  • Social Security numbers
  • Health insurance information including policy numbers and coverage details
  • Medical treatment information including diagnoses and procedures

Healthcare Data Is Especially Valuable to Criminals

Medical records sell for significantly more than credit card numbers on the dark web because they contain a combination of personal, financial, and health data that can be used for insurance fraud, identity theft, and prescription fraud. Unlike a credit card, you cannot simply cancel and replace your medical history.

Which Healthcare Providers Were Affected

Xsolis is a business associate of multiple HIPAA-covered healthcare providers across the country. Confirmed affected organizations include:

  • VHC Health — serving patients in Northern Virginia and the Washington D.C. metro area
  • Rochester Regional Health — based in New York

Additional healthcare providers may also be affected. If you received a notification letter from your healthcare provider or from Xsolis, your data was likely compromised.

Skip the manual opt-outs

One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.

Start your free scan

Steps to Protect Yourself

1. Enroll in Free Credit Monitoring

Xsolis is offering free credit monitoring and identity protection services to eligible affected individuals. If you received a notification letter, follow the instructions to enroll as soon as possible. These services can help detect potential misuse of your personal information.

2. Freeze Your Credit

With Social Security numbers potentially exposed, placing a credit freeze at all three major bureaus (Equifax, Experian, and TransUnion) is one of the most effective steps you can take. A freeze prevents anyone from opening new credit accounts using your identity.

3. Monitor Your Health Insurance Statements

Review all Explanation of Benefits (EOB) statements from your health insurer carefully. Look for:

  • Medical services or procedures you didn't receive
  • Claims from providers you've never visited
  • Prescriptions you didn't fill
  • Bills from unfamiliar healthcare facilities

If you spot anything suspicious, contact your health insurer immediately and request a copy of your medical records to check for inaccuracies.

4. Request Your Medical Records

Under HIPAA, you have the right to access your medical records. Request copies from your healthcare providers and review them for any entries that don't belong to you. Fraudulent entries in your medical records can lead to dangerous situations if they affect your treatment decisions.

5. Place a Fraud Alert

Contact one of the three major credit bureaus to place a fraud alert on your credit file. The bureau you contact is required to notify the other two. A fraud alert requires businesses to verify your identity before issuing new credit in your name.

6. File an IRS Identity Protection PIN Request

Since Social Security numbers were potentially compromised, consider requesting an Identity Protection PIN from the IRS. This six-digit number helps prevent someone from filing a fraudulent tax return using your Social Security number.

Report Medical Identity Theft

If you discover that someone has used your medical identity, file a complaint with the HHS Office for Civil Rights at hhs.gov/ocr, report it to the FTC at IdentityTheft.gov, and contact your state's attorney general. Medical identity theft can have life-threatening consequences if incorrect information ends up in your health records.

Long-Term Protection

A single data breach notification and a year or two of credit monitoring aren't enough when your Social Security number and medical records are in the hands of criminals. Data from healthcare breaches often surfaces months or years after the initial incident.

PrivacyOn provides continuous protection by removing your personal information from 100+ data broker sites, monitoring the dark web for your exposed credentials, and alerting you to new exposures. This ongoing approach helps reduce the risk of your compromised data being used for identity theft, insurance fraud, or targeted scams long after the initial breach.

What Xsolis Has Said

Xsolis has stated that the incident has been contained, unauthorized access has been terminated, and no evidence of unauthorized access has been found since January 22, 2026. The company has also said it found no evidence that the exposed data has been misused, though affected individuals should remain vigilant regardless.

SC
Sarah Chen

Head of Privacy Research

CIPP/US CertifiedIAPP MemberB.S. Computer Science

CIPP/US-certified privacy researcher with over a decade of experience helping consumers remove their personal information from data brokers.

Ready to Protect Your Privacy?

Let PrivacyOn automatically remove your personal information from data broker sites and keep it removed.