Hackers stole sensitive patient information from home medical equipment provider AdaptHealth after compromising a third-party contractor through a social engineering attack.
What happened
According to Bank Info Security, home medical equipment supplier AdaptHealth has disclosed that hackers stole sensitive patient information following a successful social engineering attack that compromised one of its third-party contractors. The Pennsylvania-based company revealed the incident in a July 2 filing with the U.S. Securities and Exchange Commission (SEC), stating that it determined the breach was material because of the nature and potential volume of data at risk.
According to the filing, the company was contacted by a threat actor on June 15 claiming to possess data taken from its systems. An investigation later confirmed that the attackers had exfiltrated patient information, including protected health information (PHI), personally identifiable information (PII), stored password files linked to insurance billing, and data from certain external electronic health record (EHR) portals. The company said Social Security numbers, payment card information, and financial account details were not stored in the affected systems.
Going deeper
The attackers gained access by compromising a user session belonging to a third-party contractor through a social engineering attack. Once the unauthorized access was discovered, the company disabled the compromised account, reset affected credentials, and implemented additional access controls to contain the incident.
While the investigation remains ongoing, AdaptHealth said the breach has not materially disrupted its operations or affected its ability to provide services to patients. The company also indicated it has taken steps to reduce the risk of the stolen information being disseminated, suggesting it may have negotiated with the threat actor, although it has not confirmed whether a ransom was paid. The financial impact of the incident, including remediation, legal, regulatory, and notification costs, has yet to be determined.
What was said
In its SEC filing, AdaptHealth stated that it determined the incident was “material, due to the nature and potential volume of the data that is at risk.”
According to the filing, the threat actor gained unauthorized access to “certain of the Company's cloud-based business applications, including certain internal patient management systems and document storage platforms,” as well as “certain external electronic health record system portals.” The company said the breach resulted from a “successful social engineering attack that compromised a user session associated with a third-party contractor.”
Despite the breach, AdaptHealth said the incident has been contained and “has not had a material impact” on its ability to continue serving patients.
The bigger picture
Social engineering is one of the most common ways cybercriminals breach healthcare organizations. Rather than exploiting software vulnerabilities, attackers manipulate employees, contractors, or vendors into granting access by exploiting trust, urgency, or fear. Common tactics include phishing emails, business email compromise (BEC), SMS phishing (smishing), and phone-based impersonation (vishing), where attackers pose as executives, IT staff, or trusted partners to steal credentials or bypass security controls.
Once an attacker gains access to an account, they can move through internal systems to steal PHI, PII, or other sensitive business data, as seen in the AdaptHealth incident, where a compromised third-party contractor account provided access to patient management systems and document storage platforms.
Social engineering remains the leading cause of healthcare data breaches. Paubox reports estimate that phishing-related attacks account for more than 70% of healthcare cyber incidents, while 60% of healthcare IT leaders report experiencing an email-related security incident or breach in 2025. These statistics underscore the importance of phishing-resistant multi-factor authentication, ongoing security awareness training, and limiting third-party access to only the systems necessary for their work.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
Why it matters
Third-party vendors have become one of healthcare's biggest cybersecurity weak points. If one of these accounts is compromised, attackers can gain the same level of access without breaching the healthcare organization's own defenses.
Go deeper: Why vendor access is a weak point
FAQS
Why is PHI valuable to cybercriminals?
PHI often contains personal, medical, and insurance information that can be used for identity theft, insurance fraud, phishing campaigns, and other forms of cybercrime. Unlike credit card numbers, medical records cannot easily be changed, making them particularly valuable.
Why do healthcare organizations give vendors access to their systems?
Healthcare organizations rely on third-party vendors for services such as medical equipment management, IT support, billing, cloud hosting, and electronic health records. These vendors often need access to internal systems to perform their work efficiently.
What should organizations look for before granting a vendor system access?
Organizations should verify that vendors use strong authentication, maintain up-to-date security controls, provide employee cybersecurity training, and have a documented incident response plan. If the vendor will create, receive, maintain, or transmit PHI, the organization should also ensure a business associate agreement (BAA) is in place. A BAA establishes each party's responsibilities for safeguarding PHI, complying with HIPAA, and reporting security incidents or breaches.
