Xsolis — the AI platform 600+ hospitals use to decide who gets admitted, discharged, and reimbursed — just confirmed 1.4 million patient records were exfiltrated.
Names. Social Security numbers. Health insurance. Medical treatment details.
The attack vector? A phishing email. Two days of undetected access. And patients whose data was shared by their own hospitals — without ever knowing Xsolis existed.
This is the breach pattern your CISO isn't prepared for.
Your hospital signs a contract with an AI vendor. That vendor ingests PHI from every patient interaction. The vendor gets breached. Your patients get notified. Your liability starts.
Xsolis processes clinical data for utilization management — admission decisions, discharge planning, insurance coverage determinations. The data they hold isn't contact information. It's the full clinical picture.
And they weren't breached through some sophisticated zero-day. A phishing email. That's it.
The HHS breach tracker added this incident on June 23. The breach happened in January. Five months of silence before patients learned their medical records were in someone else's hands.
Audit your third-party AI vendor roster today. Map every vendor that touches PHI. Verify their incident response timelines.
Because the next breach won't be your infrastructure. It'll be your supply chain.
An AI vendor your hospital trusts just leaked 1.4 million patient records
AI-Assisted Content — This post was produced with AI assistance and human editorial review.
Learn more
0 Comments