Skip to main content
Emerging ThreatsData Breaches

AdaptHealth Breach Exposes Patient Data via Social Engineering Tactics

Brightly lit healthcare setting with paper files and computer screens.

"due to the nature and potential volume of the data that is at risk," AdaptHealth determined on June 27, concluding the incident met the threshold for a material disclosure to the Securities and Exchange Commission.

How attackers gained access through a third-party contractor

AdaptHealth says the breach began not with a direct compromise of its on‑premises systems but with social engineering aimed at an unwitting third‑party contractor. The company told the SEC the attackers "sweet‑talked" their way into cloud systems by exploiting the contractor’s access, which allowed the intruders entry to AdaptHealth’s cloud environment and the business applications hosted there.

From that foothold, attackers accessed internal patient management systems, document storage platforms and external electronic health record system portals, according to the disclosure. AdaptHealth did not identify the contractor by name in the filing.

What data the attackers stole

AdaptHealth confirmed that a range of sensitive data was exfiltrated. The company singled out a "password file associated with insurance billing" and confirmed that personally identifiable information (PII) and protected health information (PHI) of certain patients were also taken.

Importantly, AdaptHealth said Social Security numbers and payment details are not thought to be affected. The company has not provided an exact tally of affected records or patients; it said investigations are continuing to determine the scope of the breach.

AdaptHealth's response and containment steps

According to the SEC filing, AdaptHealth activated its incident response protocols soon after the attacker contacted the company on June 15 and disclosed the theft. The company's immediate measures included disabling the contractor’s user account, resetting credentials and implementing additional access controls.

AdaptHealth said it "believes the attack is now contained" and also stated it "has since taken steps intended to mitigate the risk of dissemination of the exfiltrated data." The company did not state whether any extortion demand was made or whether a ransom was paid, and no criminal group had claimed responsibility at the time of the disclosure.

Regulatory threshold: why AdaptHealth reported to the SEC

On June 27 AdaptHealth determined the compromise could be considered material "due to the nature and potential volume of the data that is at risk," triggering a requirement to disclose the incident to the SEC. The company’s disclosure follows established reporting obligations for material cybersecurity incidents, though AdaptHealth did not quantify the size of the exposure in its filing.

The Register contacted AdaptHealth seeking further information, including whether it received extortion demands and what steps were taken to limit distribution or misuse of the stolen data; the company provided the statements cited in the disclosure and said investigations remain ongoing.

What this means for technologists and security teams, the SEC, and patients

  • Technologists and security teams: The intrusion underscores the risk of third‑party access to cloud environments. AdaptHealth’s actions — disabling the contractor account, credential resets and adding access controls — reflect standard containment steps after credential or access abuse.
  • The SEC and disclosure officers: The June 27 materiality determination illustrates how data type and potential volume drive regulatory reporting decisions. Cybersecurity incidents involving PII and PHI can meet the SEC’s materiality threshold even when exact record counts remain unknown.
  • Patients and insurers: Patients should note AdaptHealth confirmed PII and PHI were taken and that a password file tied to insurance billing was exfiltrated; the company says Social Security numbers and payment details are not believed affected. Insurers and billing administrators will likely monitor any fallout tied to insurance‑billing credentials.

AdaptHealth, a Pennsylvania‑based provider of home medical equipment and related services founded in 2012 and specialising in respiratory, sleep and diabetes therapies, serves more than 4.2 million patients across all 50 US states, according to its 2024 annual report. With investigations ongoing, the company has publicly framed the incident as contained and as having met the SEC’s materiality threshold — but it has not disclosed the scale of affected records nor whether extortion played a role.

Read the original report: https://www.theregister.com/security/2026/07/03/adapthealth-crooks-stole-our-passwords-patient-health-data/5266512