In January 2026, Xsolis, a Tennessee-based healthtech company that provides AI-powered case and utilization management solutions to healthcare providers, was hit by a targeted phishing attack that exposed the protected health information of nearly 1.4 million patients. If you received care from a healthcare provider that uses Xsolis, your most sensitive personal and medical data may be at risk. Here's what you need to know and what to do about it.
What Happened
Between January 20 and January 22, 2026, an unauthorized third party gained access to a limited portion of the Xsolis environment through a targeted phishing attack. An employee was tricked into revealing credentials, giving attackers access to systems containing sensitive patient data.
Xsolis identified the unauthorized activity on January 22 and contained the breach, terminating unauthorized access. The incident was reported to the U.S. Department of Health and Human Services' Office for Civil Rights as affecting 1,396,519 individuals.
What Data Was Exposed
The breach potentially compromised some of the most sensitive categories of personal information:
- Names and dates of birth
- Social Security numbers
- Health insurance information including policy numbers and coverage details
- Medical treatment information including diagnoses and procedures
Healthcare Data Is Especially Valuable to Criminals
Medical records sell for significantly more than credit card numbers on the dark web because they contain a combination of personal, financial, and health data that can be used for insurance fraud, identity theft, and prescription fraud. Unlike a credit card, you cannot simply cancel and replace your medical history.
Which Healthcare Providers Were Affected
Xsolis is a business associate of multiple HIPAA-covered healthcare providers across the country. Confirmed affected organizations include:
- VHC Health — serving patients in Northern Virginia and the Washington D.C. metro area
- Rochester Regional Health — based in New York
Additional healthcare providers may also be affected. If you received a notification letter from your healthcare provider or from Xsolis, your data was likely compromised.
Skip the manual opt-outs
One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.
Start your free scanSteps to Protect Yourself
1. Enroll in Free Credit Monitoring
Xsolis is offering free credit monitoring and identity protection services to eligible affected individuals. If you received a notification letter, follow the instructions to enroll as soon as possible. These services can help detect potential misuse of your personal information.
2. Freeze Your Credit
With Social Security numbers potentially exposed, placing a credit freeze at all three major bureaus (Equifax, Experian, and TransUnion) is one of the most effective steps you can take. A freeze prevents anyone from opening new credit accounts using your identity.
3. Monitor Your Health Insurance Statements
Review all Explanation of Benefits (EOB) statements from your health insurer carefully. Look for:
- Medical services or procedures you didn't receive
- Claims from providers you've never visited
- Prescriptions you didn't fill
- Bills from unfamiliar healthcare facilities
If you spot anything suspicious, contact your health insurer immediately and request a copy of your medical records to check for inaccuracies.
4. Request Your Medical Records
Under HIPAA, you have the right to access your medical records. Request copies from your healthcare providers and review them for any entries that don't belong to you. Fraudulent entries in your medical records can lead to dangerous situations if they affect your treatment decisions.
5. Place a Fraud Alert
Contact one of the three major credit bureaus to place a fraud alert on your credit file. The bureau you contact is required to notify the other two. A fraud alert requires businesses to verify your identity before issuing new credit in your name.
6. File an IRS Identity Protection PIN Request
Since Social Security numbers were potentially compromised, consider requesting an Identity Protection PIN from the IRS. This six-digit number helps prevent someone from filing a fraudulent tax return using your Social Security number.
Report Medical Identity Theft
If you discover that someone has used your medical identity, file a complaint with the HHS Office for Civil Rights at hhs.gov/ocr, report it to the FTC at IdentityTheft.gov, and contact your state's attorney general. Medical identity theft can have life-threatening consequences if incorrect information ends up in your health records.
Long-Term Protection
A single data breach notification and a year or two of credit monitoring aren't enough when your Social Security number and medical records are in the hands of criminals. Data from healthcare breaches often surfaces months or years after the initial incident.
PrivacyOn provides continuous protection by removing your personal information from 100+ data broker sites, monitoring the dark web for your exposed credentials, and alerting you to new exposures. This ongoing approach helps reduce the risk of your compromised data being used for identity theft, insurance fraud, or targeted scams long after the initial breach.
What Xsolis Has Said
Xsolis has stated that the incident has been contained, unauthorized access has been terminated, and no evidence of unauthorized access has been found since January 22, 2026. The company has also said it found no evidence that the exposed data has been misused, though affected individuals should remain vigilant regardless.