VYPR
breachPublished Jul 3, 2026· 1 source

AdaptHealth Patient Data Stolen After Social Engineering Attack on Contractor

AdaptHealth disclosed a breach where attackers used social engineering against a third-party contractor to gain access to cloud systems and steal patient data, including insurance billing passwords.

AdaptHealth, a major provider of home medical equipment and services, has revealed a significant data breach resulting from a social engineering attack that compromised its cloud systems and led to the exfiltration of sensitive patient information. The incident, disclosed to the Securities and Exchange Commission (SEC) on July 3, 2026, involved attackers targeting a third-party contractor to gain initial access to AdaptHealth's internal network.

According to the company's disclosure, the cybercriminals successfully sweet-talked their way into the contractor's credentials, which then provided a gateway into AdaptHealth's cloud environment. Once inside, the attackers were able to access critical systems, including patient management platforms, document storage solutions, and external electronic health record (EHR) portals. This access allowed them to steal a range of data, notably including passwords associated with insurance billing processes.

The breach came to light when the attackers themselves contacted AdaptHealth on June 15, 2026, informing the company of the data theft. Following this notification, AdaptHealth immediately initiated its incident response protocols. The company took swift action by disabling the compromised contractor's user account, resetting all associated credentials, and implementing enhanced access controls to prevent further unauthorized entry.

AdaptHealth confirmed that personally identifiable information (PII) and protected health information (PHI) of certain patients were compromised. However, the company stated that Social Security numbers and payment card details are not believed to be affected by this incident. The exact scale of the data theft is still under investigation, but the potential volume and nature of the compromised data led AdaptHealth to deem the attack material, necessitating the SEC filing.

While the company has stated that the incident is now contained and has taken steps to mitigate the risk of the exfiltrated data being disseminated, the full impact remains under scrutiny. AdaptHealth has not disclosed whether any extortion demands were made or met, nor has any specific cybercrime group claimed responsibility for the attack. The company is continuing its investigation to ascertain the complete scope of the breach and the specific data compromised.

This incident highlights the persistent threat of social engineering, particularly when it targets third-party vendors or contractors who often have privileged access to sensitive systems. The healthcare sector, with its vast repositories of valuable patient data, remains a prime target for cybercriminals seeking financial gain or disruption.

AdaptHealth, founded in 2012 and serving over 4.2 million patients across the United States, specializes in respiratory, sleep, and diabetes therapies. The company's reliance on cloud infrastructure and its extensive patient database make it a significant target, underscoring the critical need for robust security measures and vigilant oversight of third-party access.

Synthesized by Vypr AI