Xolis, a U.S.-based healthcare technology company specializing in AI-driven clinical decision support, has confirmed a major data breach affecting nearly 1.4 million individuals. The incident stemmed from a targeted phishing attack that allowed threat actors to gain unauthorized access to parts of the company’s internal network.
The breach was first detected on January 22, 2026, two days after the initial compromise occurred on January 20. Upon discovery of the suspicious activity, Xolis activated its incident response procedures, contained the affected systems, and engaged external cybersecurity experts to investigate the scope and impact of the intrusion.
Xolis provides its AI-powered platform, Dragonfly, to more than 600 hospitals and insurers, helping automate and support decisions around patient care, utilization management, and insurance reimbursement. Because of its role in processing sensitive healthcare data at scale, the company handles large volumes of personal and clinical information.
According to findings shared with regulators, attackers accessed files containing highly sensitive patient data, including names, addresses, dates of birth, Social Security numbers, health insurance details, and medical treatment information. In total, 1,396,519 individuals are believed to have been impacted, according to filings with the U.S. Department of Health and Human Services.
While Xolis stated it has no evidence that the stolen data has been misused so far, it acknowledged the potential for identity theft and targeted fraud. Given the nature of the exposed information, affected individuals could be at heightened risk of phishing, insurance fraud, and medical identity theft.
In response to the incident, the company has reset user credentials, enhanced system monitoring, and strengthened internal security controls. It has also expanded employee security training and improved credential management practices to reduce the likelihood of similar phishing-based compromises in the future. Affected individuals are being offered 12 months of identity monitoring and restoration services through Kroll, and notifications are being sent to impacted users, including guardians where minors are involved.
The incident highlights the continued effectiveness of phishing as an initial access vector, particularly in healthcare environments where attackers can potentially gain access to highly valuable personal and medical datasets once inside corporate networks.
