Data breach on healthcare AI vendor exposes records from 1.4M patients

Last week, HealthExec reported on a data breach at a healthcare AI company that resulted in personal data from its hospital and payer clients being exposed to hackers. This week, a filing with the federal government provided details on how many patients were impacted. 

According to the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights healthcare data breach tracker, the number of individuals impacted by the hack on Xsolis was determined to be 1,396,519.

Stolen data was determined to include protected health information, including details on medical treatments that patients received. Names, dates of birth, contacts, Social Security numbers and health insurance information were also compromised. 

Xsolis, a company that uses artificial intelligence to improve patient care utilization, posted a notice earlier this month that contained many of the details of the data security incident, said to have stemmed from a “targeted phishing attack” that resulted in an unauthorized third party accessing its network. 

According to the HHS data breach tracker, the company formally filed its data breach notification on June 5.

The unauthorized intrusion was discovered on Jan. 22, two days after hackers gained access, Xsolis confirmed. It added that it worked with a third-party cybersecurity firm to investigate the scope of the data breach and to put new safeguards in place to secure its network against future invasions.

To date, no hacker cell has claimed credit for the breach, and the data trove taken from Xsolis’s customers has not been found posted for sale anywhere on the dark web. The company said it has no evidence that any of the stolen health information has been used for nefarious purposes. 

It has notified victims, offering complimentary identity theft protection and credit monitoring services.