The mailed breach notices were dispatched by third‑party vendor Xsolis and—on their face—misnamed the provider as “Rochester Regional Medical Center” rather than Rochester Regional Health, a combination that prompted many recipients to treat the letters as scams.
Xsolis: the third‑party sender and the notice's claim
The letters were sent by Xsolis, identified in the notice as a previously used partner that provides case and utilization management services for Rochester Regional Health. According to the letter itself, the vendor was breached and became aware of unauthorized activity impacting the healthcare facility.
The choice to route a breach notification through a vendor rather than the healthcare system that patients know best is central to how this episode unfolded: the note named Xsolis as the sender and described the unauthorized activity, but it did not carry Rochester Regional Health’s exact name, creating a gap between the content of the alert and the expectations of its recipients.
Patients' reaction: confusion and discarded notices
Recipients reacted with skepticism. On first glance many patients believed the mailed notices to be scams, in part because the sender was a third‑party vendor rather than the hospital itself and in part because the letter used the name “Rochester Regional Medical Center” instead of the system’s actual name, Rochester Regional Health. Local reporting cited by the hospital shows that many individuals discarded the letters as a result.
That response undercuts the functional purpose of a breach notice: to inform affected people so they can take steps to protect themselves. In this case, the very mechanism intended to alert patients appears to have reduced the odds that they would read it.
Rochester Regional Health: confirmation and history
Rochester Regional Health confirmed the legitimacy of the mailed notice, according to local reporting. The hospital’s acknowledgment did not, in the account available, resolve the immediate confusion caused by the sender and the misnaming on the letterhead.
The organization has previously experienced breaches in 2020 and 2023. That record of prior incidents is part of the background against which patients judged the most recent mailings—yet the mailing error meant some recipients never reached the point of assessing whether they had reason to be concerned.
What this means for patients, procurement leaders, and security teams
- Patients and the general public: Recipients who discard notices risk missing important information; in this case, the mismatch between sender and familiar institution name increased the chance that legitimate alerts would be treated as fraud.
- Procurement leaders and vendor managers at healthcare organizations: The episode highlights the operational importance of who communicates with patients. Procurement and contract teams will watch vendor notification templates and branding closely to avoid sending notices that patients might reject as unfamiliar or suspicious.
- Security and communications teams at healthcare providers: Incident response and public communications functions will need to align on ownership of breach notices—especially when third parties are involved—so that messages reach affected people with clear, recognizable branding and a straightforward verification pathway.
The practical lesson in this record is simple and sharp: a correct legal notice can fail if patients do not recognize the sender. The question left on the table is concrete—will Rochester Regional Health and Xsolis change who issues breach notices or how those notices are branded so future alerts are read rather than discarded?
