Healthcare AI vendor suffers data breach, exposing patient records to hackers
A healthcare technology vendor that provides AI-powered utilization management and case management software to hospitals and health insurers has been hit by a data breach that it said may have resulted in protected health information being stolen.
Tennessee-based Xsolis confirmed in a statement that it first became aware of the breach on Jan. 22, two days after a “targeted phishing attack” resulted in an unauthorized third party gaining access to its network.
The company uses artificial intelligence to help its clients determine whether a patient meets criteria for hospital care, including inpatient admissions and rehabilitation placements. Further, its technology helps to estimate a patient’s length of stay and observational status, impacting both care delivery and reimbursement.
Xsolis confirmed that the personal and protected health information hackers accessed came from its clients. Potentially compromised data includes names, addresses, dates of birth, health insurance information, Social Security numbers and medical treatment information on patients.
The company confirmed that the thieves were able to acquire files, implying they were moved offsite. However, the vendor added that it is “not aware of any actual or attempted misuse of information because of this incident,” and that it worked with a third-party cybersecurity firm throughout the investigation into the incident.
“We have taken steps to address the incident and are committed to protecting the information entrusted to us,” the company wrote. “Upon learning of this incident, we immediately began an investigation and reported the incident to law enforcement. We also implemented additional safeguards to further enhance the security of information in our possession and to help prevent similar incidents from occurring in the future.”
Potentially impacted individuals have all been identified, and Xsolis said it will be mailing data breach notices to victims soon. The specific data stolen will vary from person to person, the company added.
Hospitals on the hook
It’s unclear how many customers the data breach will impact, but at least one hospital has already notified patients about the risks associated with their personal information being exposed to hackers.
According to ARL Now, Virginia-based VHC Health has already sent breach notifications of its own, saying Social Security numbers, medical records details and account numbers may have been stolen during the cyberattack on Xsolis.
To date, no data trove stemming from the incident has been discovered on the dark web and the identities of the thieves is unknown. An official headcount of victims has also yet to be reported to the federal government.
HealthExec reached out to Xsolis seeking more information.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.