AdaptHealth says contractor breach exposed patient and billing data

AdaptHealth has disclosed that attackers used social engineering to break into its cloud environment through a third-party contractor, exposing sensitive patient information and credentials tied to in...

AdaptHealth has disclosed that attackers used social engineering to break into its cloud environment through a third-party contractor, exposing sensitive patient information and credentials tied to insurance billing.

In a filing with the U.S. Securities and Exchange Commission, the Pennsylvania-based home medical equipment provider said the intruders reached internal patient management tools, document storage systems, and portals connected to external electronic health record platforms. The company said it became aware of the issue on June 15, when the attacker contacted the organization and reported the theft.

What data was taken

According to AdaptHealth, the stolen material includes a file containing passwords associated with insurance billing, as well as personally identifiable information and protected health information belonging to some patients. The company said it does not believe Social Security numbers or payment card data were affected.

AdaptHealth did not say whether the incident involved an extortion demand or whether any payment was made. At the time of disclosure, no known ransomware or extortion group had claimed responsibility.

Company response and investigation

After learning of the intrusion, AdaptHealth said it activated its incident response process, disabled the contractor’s account, reset credentials, and added further access controls. The company said it believes the event is now contained, though its investigation is still under way to determine the full scope of the exposure.

On June 27, AdaptHealth concluded that the breach was material because of the nature and possible volume of data at risk, which triggered the SEC filing requirement. The company also said it has taken steps intended to reduce the chance that the stolen information will be disseminated or misused.

  • Attack path: social engineering through a third-party contractor
  • Systems accessed: patient management, document storage, and EHR portals
  • Data exposed: patient information, health records, and billing-related passwords
  • Believed unaffected: Social Security numbers and payment details

AdaptHealth, founded in 2012, provides respiratory, sleep, and diabetes-related equipment and services. In a 2024 annual report, it said it serves more than 4.2 million patients across all 50 U.S. states.