Healthcare technology company Xsolis said a phishing attack in January exposed sensitive data tied to nearly 1.4 million people, including names, addresses, birth dates and Social Security numbers.
KEY FACTS
- Incident Unauthorized activity was detected on Jan. 22 after a phishing attack on Jan. 20.
- Impact 1,396,519 people are listed as affected in a filing with U.S. health officials.
- Data exposed Files contained names, addresses, dates of birth, insurance details, Social Security numbers and medical treatment information.
- Response The company contained the activity, reported the incident to law enforcement and mailed notices to affected individuals.
In a data incident disclosure, the company said the attack affected a limited part of its environment. It said outside cybersecurity experts were brought in to help investigate.
The disclosure said passwords were reset for all users and key accounts, system monitoring was increased and updated security measures were rolled out. The company also said employee security training was accelerated and credential management was strengthened.
Recipients of the notices will be offered 12 months of identity monitoring and identity theft restoration service through Kroll. If an affected customer is a child, the notice will go to parents or legal guardians.
The company has not reported attempted misuse of the exposed information. It said people receiving notices should stay alert for possible targeted attacks.
WHY IT MATTERS
The exposed records include personal and medical information that can be used in identity theft or phishing campaigns. For affected people, the breach may create longer-term privacy and security risks even if no misuse has been reported so far.