AdaptHealth Reports Patient Data Stolen in Cyberattack

AdaptHealth Reports Patient Data Stolen in Cyberattack

Advertisement

According to a July 2 filing with the U.S. Securities and Exchange Commission (SEC), the attacker accessed certain cloud-based business applications, including internal patient management systems, document storage platforms, and some external electronic health record (EHR) system portals.

Home medical equipment provider AdaptHealth has disclosed that patient data was stolen in a recent cyberattack after a threat actor gained unauthorized access to the company's systems through a social engineering attack targeting a third-party contractor.

According to a July 2 filing with the U.S. Securities and Exchange Commission (SEC), the attacker accessed certain cloud-based business applications, including internal patient management systems, document storage platforms, and some external electronic health record (EHR) system portals.

The company said the incident resulted in the exfiltration of data, including certain personally identifiable information (PII), protected health information (PHI), and stored password files associated with insurance billing.

AdaptHealth stated that it does not collect Social Security numbers in the affected systems and does not store financial account or payment card information on the compromised platforms.

The company said it has not yet determined the full scope of the affected datasets or the volume of data that was stolen. An investigation is ongoing with the support of external forensic experts.

According to the SEC filing, the incident has been contained. AdaptHealth said it has taken steps to reduce the risk of further dissemination of the stolen data, including disabling the compromised user account, resetting affected credentials, and implementing additional access controls.

The company determined on June 27 that the incident was material due to "the nature and potential volume of the data that is at risk." The threat actor had informed AdaptHealth on June 15 that data had been taken from its systems.

AdaptHealth, which supplies home healthcare equipment such as CPAP devices, continuous glucose monitors, and insulin pumps, said the cyberattack has not had a material impact on its operations or its ability to continue serving patients.

However, the company said it is still assessing the financial implications of the breach, including remediation and response costs, legal and regulatory obligations, notification requirements, and potential reputational impact. AdaptHealth added that it maintains cybersecurity insurance that may cover certain losses related to the incident.

The disclosure comes amid a series of cybersecurity incidents affecting the medical technology sector. Companies including Stryker, Intuitive Surgical, Medtronic, and iRhythm have also reported cyberattacks in recent months, highlighting continued cybersecurity risks across the healthcare and medtech industry.

Stay tuned for more such updates on Digital Health News

Follow us

More Articles By This Author


Show All

Sign In / Sign up