An AI Company That Serves 600 Hospitals Got Phished in January. 1.4 Million Patients Just Found Out.

On January 20, 2026, a targeted phishing attack reached Xsolis.

The company detected unauthorized activity two days later, on January 22. The attackers were already gone by then.

Five months later, 1.4 million patients are receiving breach notification letters.

What Xsolis Does

Xsolis makes Dragonfly — an AI-driven clinical decision support platform for utilization management. Utilization management is the process by which hospitals and insurers determine what care is medically necessary, how long a patient should stay, and whether a procedure or treatment meets coverage criteria. It touches every admitted patient. Dragonfly is used by more than 600 hospitals and health systems.

When you give a platform that role in clinical operations, you give it access to PHI at scale. Patient names, diagnoses, treatment records, health insurance information. For 600 hospitals, that is a very large corpus of very sensitive data sitting behind a single vendor's security posture.

That posture failed on January 20.

The Breach

A targeted phishing attack compromised a limited portion of the Xsolis technology environment. The company acted quickly to interrupt and contain the unauthorized activity once detected on January 22. No evidence of unauthorized access has been found since January 22. No evidence of data misuse has been confirmed.

The data exposed for 1,396,519 individuals includes: names, addresses, dates of birth, health insurance information, Social Security numbers, and medical treatment information.

The affected health systems include Advent Health, Beacon Health System, Carle Health, Honor Health, Mayo Clinic, and MLK Community Healthcare.

The Supply Chain Read

Xsolis is not a household name. Its patients did not choose to share their data with Xsolis — they chose to receive care at their hospital, and their hospital contracted with Xsolis to manage clinical decisions. The data flowed to Xsolis as a byproduct of that relationship.

This is the healthcare vendor supply chain in its plainest form. Patients interact with hospitals. Hospitals interact with vendors. Vendors hold the data. When the vendor is breached, the patients' data is at risk regardless of how strong the hospital's own security posture is.

Mayo Clinic appears on this list. Mayo also appears in Xsolis's own marketing as a reference customer. That relationship means Mayo patients' data was in Xsolis's environment. We have Mayo Clinic on our vendor risk watch list at rank 4 — their AIPM score is 43, structurally lower than their NPS suggests, with public dev and staging environments for their AskMayoExpert clinical AI platform. A vendor breach affecting Mayo patient data is consistent with the risk profile we documented.

The Timeline Problem

The intrusion occurred January 20. Notifications are going out in June. That is five months. Under HIPAA's Breach Notification Rule, covered entities and business associates have 60 days from discovery to notify affected individuals. Discovery was January 22. The 60-day window expired March 23.

The delay between discovery and notification for 1.4 million affected individuals will be part of the class action and OCR investigation that follows.

Xsolis is offering 12 months of identity monitoring through Kroll.

Sources: HIPAA Journal — Becker's Hospital Review — 1.4M patients, 7 health systems — SC World

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register