Humana, Mayo Clinic vendor breach exposes records of 1.4M patients
Xsolis, a healthcare AI and analytics provider for Humana, one of the nation's largest healthcare insurers, alongside hundreds of major hospitals, doctors’ offices, and healthcare organizations, has revealed its systems were breached, exposing the patient data of nearly 1.4 million individuals.

Image by frank60 | Shutterstock
Xsolis, a healthcare AI and analytics provider for Humana, one of the nation's largest healthcare insurers, alongside hundreds of major hospitals, doctors’ offices, and healthcare organizations, including the Mayo Clinic Health Systems, has revealed its systems were breached, exposing the patient data of nearly 1.4 million individuals.
- A healthcare technology provider used by Humana, Mayo Clinic Health Systems, and hundreds more hospitals says hackers stole sensitive data belonging to nearly 1.4 million people.
- The breach exposed information including Social Security numbers, insurance details, and medical treatment data.
- Experts say the attack highlights how sophisticated phishing campaigns are becoming harder for employees and security teams to detect.
The Kentucky-based AI-driven healthcare technology company filed an initial breach notification with the California Attorney General’s office detailing the January breach and began sending notices to affected individuals earlier this month.
Now, ClassAction.org, the nonprofit group handling the case, said on Tuesday that Xsolis is facing a possible class action lawsuit on behalf of the 1,396,519 people affected by the hack.
Hundreds of health systems impacted
“On January 22nd, 2026, Xsolis became aware of unauthorized activity impacting a limited portion of the Xsolis environment, resulting from a targeted phishing attack on January 20th, 2026,” the company wrote in a breach notice dated June 5th.
The unauthorized actor was said to have “acquired certain files” from Xsolis systems, whose Dragonfly AI platform is used by more than 600 healthcare organizations nationwide. The company said upon discovering the intrusion, it “immediately contained the activity and terminated the unauthorized access.”
The platform combines clinical records and AI-powered data analysis to help healthcare organizations make decisions about patient care and payments, including hospital admissions, lengths of stay, medical-necessity reviews, and reimbursements.
The Xsolis customer list, although not public, includes the nation's leading health insurers, hospitals, health systems, regional health plans, and provider-sponsored networks, including Humana, the Mayo Clinic, and CommonSpirit Health, one of the largest non-profit hospital systems in the country.
Ross Filipek, CISO at Corsica Technologies, says the concern for this breach goes beyond the individual records, as Xsolis data is aggregated across multiple providers and payer clients.
“Because Xsolis sits at the decision-making layer of healthcare, if that trust is shaken, the fallout is not just about confidentiality. It can raise questions about clinical judgment, financial fairness, and the technology patients and providers rely on,” he says.
So far, several hospitals have come forward to say they have been impacted by the hack, The HIPAA Journal reported on Tuesday, including VHC Health, serving Northern Virginia and the Washington, DC, metro area, and Rochester Regional Health in New York.
And although there is no evidence of an extorsion attempt, it is estimated the privately held Xsolis brings in somewhere between $54 million and $73.5 million in annual revenue.
What data was compromised?
According to Xsolis, which brought in outside cybersecurity experts to investigate and mitigate any damage, exposed sensitive data may include:
- Names
- Addresses
- Date of birth
- Health insurance information
- Social Security numbers
- Medical treatment information
Filipek says the biggest concern is how useful the information is once it’s out in the wild.
“A Social Security number is bad enough on its own, but when you pair it with health insurance details and treatment information, it gives criminals a much fuller picture of a person’s life,” he explains.
Filpek warns the exposure could easily lead to identity fraud, medical identity theft, or follow-up phishing attacks that feel far more believable because they are built around real patient context.
The company says it has reviewed and implemented additional security protocols and is offering free credit monitoring as a precautionary measure to those who may have been impacted.
Xsolis is also encouraging potentially affected individuals “to remain vigilant by reviewing account statements, explanation of benefits statements, and credit.”
Phishing attack timeline condensed
Max Gannon, Cyber Intelligence Team Manager at Cofense, says the attack timeline suggests a sophisticated threat actor likely targeted Xsolis directly.
"The speed of this attack tells us everything we need to know. Threat actors moved from initial phishing compromise to active data exfiltration in just 48 hours; a timeline that strongly reinforces Xsolis's characterization of this as a targeted attack, not an opportunistic one, Gannon said.
Check if your data has been leaked
Gannon says phishing attacks, which are increasingly powered by AI, pose a challenge for defenders.
“How do you defend against a phishing attack so precisely crafted that even a well-trained employee can't tell it's fake?” Gannon poses the question, adding that “in the age of AI-assisted attacks, context is the new last line of defense.”
It’s not just about finding out who in the company clicked a bad link, but how many other employees did and what the attacker learned before IT teams found out, he explains.
“Organizations that invest in behavioral context (mapping lateral exposure across teams when one credential is compromised) are far better positioned to detect these attacks before they escalate into the kind of breach Xsolis is now managing," Gannon says.
Why healthcare remains a prime target
According to recent research by Omega Systems, 85% of healthcare practices were disrupted by a third-party or "vendor-of-a-vendor" failure in the past year – and yet only 70% say they're confident in their vendors' security.
What’s more another 63% say they do not continuously monitor those vendors at all, the reserach found.
The Omega report further states that more than 90% of practices using AI in patient-facing and administrative workflows – as in the case with the Xsolis breach – often lack the oversight in place to confirm those tools meet emerging security and compliance standards.
Besides the possible class action lawsuit, the Xsolis breach is also under investigation by the US Office for Civil Rights for potential HIPAA violations.
Unlock more exclusive Cybernews content on YouTube.