Vitalii Gulenok/istock via Getty
AdaptHealth says hackers exfiltrated patient data in social engineering attack
AdaptHealth, a home medical equipment supplier, reported the data breach in an SEC filing.
AdaptHealth, a nationwide supplier of home medical equipment, disclosed a data breach that impacted an undetermined number of patients, according to a Form 8-K filing with the U.S. Securities and Exchange Commission. The company partners with hospitals, physician practices and insurance companies to offer medical equipment, such as wheelchairs, continuous glucose monitors and CPAP machines.
According to the SEC filing, AdaptHealth received a communication from a cyberthreat actor on June 15, 2026, claiming to have obtained certain data from its systems. Further investigation revealed that the cyberthreat actor exfiltrated stored password files associated with insurance billing, certain external EHR system portals and patients' protected health information.
AdaptHealth later determined that the incident was the result of a successful social engineering attack in which a hacker compromised a user session associated with a third-party contractor.
"Following detection, the Company promptly implemented containment measures, including disabling the compromised user account, resetting affected credentials, and implementing additional access controls, and the incident has been contained," the filing stated.
"The Company is continuing to investigate the nature and scope of the incident with external forensics teams. The full scope of affected data sets has not yet been determined, and specific information regarding the volume of data at issue is not yet available. The Company has since taken steps intended to mitigate the risk of dissemination of the exfiltrated data."
By June 27, 2026, AdaptHealth determined that the incident was material due to the nature of the exposed data. As such, it filed Form 8-K with the SEC to notify stakeholders.
Although the attack could affect patient data confidentiality, AdaptHealth confirmed that the incident has not materially affected its operations or its ability to serve patients. The company said it maintains cyber insurance to cover certain losses. However, at this time, it is unable to estimate the full financial impact of the incident, which could include remediation costs, legal and regulatory fees and reputational impact.
Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.