3rd Party Risk Management
,
Data Breach Notification
,
Data Privacy
AdaptHealth Says Social Engineering Scam Also Affects External EHR Portal Data

A publicly traded home medical equipment and services supplier has told U.S. regulators that hackers recently stole a potentially large volume of patients’ sensitive health and personal information, including data from external electronic health record portals, in a social engineering incident.
See Also: Know Thy Enemy: Threats to Cyber Resilience
Pennsylvania-based AdaptHealth in a July 2 filing to the U.S. Securities and Exchange Commission, said its investigation into the hack is ongoing, but that on June 27 it determined that “the incident is material, due to the nature and potential volume of the data that is at risk.”
AdaptHealth also disclosed that on June 15 the company received a communication from a threat actor who claimed to have “obtained” certain data from the company’s systems. AdaptHealth’s filing also signaled that it potentially paid a ransom, telling the SEC that the company “has since taken steps intended to mitigate the risk of dissemination of the exfiltrated data.”
AdaptHealth told the SEC that it has confirmed that data was stolen from its systems including a stored password file associated with insurance billing. The company also confirmed that threat actors accessed “certain external electronic health record system portals,” AdaptHealth said.
Compromised data identified so far includes passwords associated with insurance billing and certain personally identifiable information and protected health information of patients, AdaptHealth said. “The company does not collect Social Security numbers in the affected systems and does not store individual financial account information or payment card information in those systems.”
The incident involved “a successful social engineering attack that compromised a user session associated with a third-party contractor,” AdaptHealth told the SEC.
The company says it “promptly implemented containment measures, including disabling the compromised user account, resetting affected credentials and implementing additional access controls” and that “the incident has been contained.”
So far the cyberattack has not had “a material impact” on AdaptHealth’s operations and has not affected the company’s ability to serve patients. “At this time, the company is unable to determine the full financial impact of the incident, including remediation and response costs, legal, regulatory and notification-related matters, and possible effects on patients, counterparties and the company’s reputation,” AdaptHealth told the SEC. “The company maintains cybersecurity insurance that may cover certain losses associated with the incident.”
AdaptHealth did not immediately respond to ISMG’s request for additional details about the incident, including whether the company paid a ransom demand to threat actors and for details about the external EHR portals that hackers accessed.
AdaptHealth, which reported net revenue of $3.2 billion in fiscal 2025, says on its website that it provides breathing, sleep, mobility, diabetes care and other home-health equipment and services to 4.3 million patients annually, including Medicare and Medicaid beneficiaries, through a network of more than 600 locations in 48 states.
The 14-year-old, Conshohocken, Pennsylvania-based AdaptHealth is among the latest of several other large medical equipment suppliers and manufacturers hit by hackers in recent months. Others include medical device maker Medtronic, which last week began notifying about 3.8 million patients of an April data theft hack claimed by cybercrime gang ShinyHunters, and a wiper attack by Iranian hacktivist group Handala in March on medical technology firm Stryker.
Also, TriMed, a California maker of implantable orthopedic gear in March disclosed it was a victim of a recent cybersecurity incident, as did UFP Technologies, a Massachusetts-based maker of single-use medical devices and other healthcare supplies in late February.
Besides compromising the privacy and security of patient data, hacking incidents involving critical third-party suppliers of medical equipment and services are among the most complicated and persistent challenges facing the healthcare sector, experts said (see: Free Healthcare Toolkit Ranks, Maps Third Party Risk).
That’s because of the sheer volume and wide variety of vendors involved and the mission-critical products and services they provide to hospitals and medical practices – and the sensitive patient data they often handle – make those suppliers highly attractive targets for cybercriminals.
