XSOLIS has disclosed a data breach that exposes the personal and health information of approximately 1.4 million individuals after a phishing attack compromised its systems, according to SecurityWeek. The notice was published via the company’s incident website.
The company said the unauthorized activity was detected on 22 January 2026, following a phishing message that arrived two days earlier. According to the incident notice, the breach was identified after anomalous login activity was seen on an internal server. Xsolis has not disclosed the exact lure used in the email.
The compromised data includes names, dates of birth, postal addresses, Social Security numbers, health insurance information and medical treatment records. The U.S. Department of Health and Human Services has logged the incident on its breach portal, confirming the scale of the exposure. Affected individuals are being offered twelve months of identity monitoring services.
Xsolis said there is no evidence that the stolen data has been misused and no ransomware group has claimed responsibility. The notice also names Rochester Regional Health and Mayo Clinic among the organisations whose patient data was affected. The total number of impacted patients is recorded as 1,396,519.
In response, Xsolis has stated that it has deployed additional security controls to prevent a recurrence. The firm is working with its clients to tighten email filtering and endpoint protection.
Defenders should treat this as a reminder to strengthen email authentication, enforce multi‑factor authentication on all remote access points and run regular phishing simulation exercises for staff. They should also review access controls on systems that store protected health information and ensure that logs are retained long enough to spot early signs of credential theft. Promptly resetting any potentially compromised passwords and monitoring for unusual data exfiltration are further steps that can limit damage.