A healthcare AI vendor disclosed a data breach that affected 1.4 million people after a targeted phishing attack exposed sensitive patient information, including Social Security numbers and medical records. Patients at Mayo Clinic, University of Washington Medicine, and VHC Health are among those notified, highlighting the ongoing danger third-party vendors pose to health systems.
Xsolis, which sells AI-powered utilization management and payer-provider collaboration tools, ranks Best in KLAS for physician advisory services and serves hospitals nationwide. On January 22, 2026, the company detected a phishing attack and said it immediately contained the intrusion, terminating the unauthorized access.
Files acquired by the attacker contained names, addresses, dates of birth, Social Security numbers, medical treatment details, and health insurance information. Xsolis has found no evidence the data was misused. The company set up a call center and is offering free credit monitoring and identity protection to affected individuals.
Affected healthcare organizations
Xsolis did not release a client list, but several organizations published their own notices. Mayo Clinic said it learned of the incident on April 23, 2026, and moved quickly to assess the impact and confirm Xsolis was responding appropriately. It did not disclose how many Mayo patients were involved.
University of Washington Medicine reported that roughly 23,600 of its patients were affected. Virginia-based VHC Health posted a link to Xsolis's breach notice on its website.
The wider third-party risk picture
New survey data from Omega Systems, a managed IT and security services firm, shows third-party breaches remain a persistent threat. The company polled 200 healthcare executives and IT leaders and found that 85% had experienced at least one operational disruption caused by a vendor in the past year. Twenty-four percent said not knowing their vendor network's security posture was a top IT concern.
"The third-party attack surface is wide, growing, and under-monitored," the Omega Systems report said. "For healthcare practices that have not yet experienced a consequential breach through a vendor connection, that may reflect good fortune more than a strong defense."
Why this matters for healthcare professionals
The breach illustrates how deeply health systems depend on technology partners-and how a single phishing attack on a vendor can ripple across multiple organizations and expose highly personal data. When evaluating AI for Healthcare, professionals must press vendors on security practices and incident response, because patient trust and compliance with HIPAA hinge on a supply chain that remains under constant attack.
Your membership also unlocks:
