Xsolis disclosed a data breach after unauthorized activity on its systems on January 22. For readers asking what is a data breach, this one involved access to files holding personal and protected health information from clients, not a routine systems glitch.
The US Department of Health and Human Services said 1,396,519 individuals were affected. That scale turns the incident from an internal security event into a large exposure of names, dates of birth, addresses, Social Security numbers, health insurance information, and medical treatment information.
Xsolis and January 22
The intrusion followed a targeted phishing attack carried out two days earlier. That matters because phishing uses deceptive messages to trick a person into opening the door for an attacker, which can make one mistake enough to reach a broader file set.
Xsolis said hackers gained access to files storing personal and protected health information received from its clients. The company did not say that attackers took over all of its systems, but the stolen material was sensitive enough to raise the stakes for anyone whose records were inside those files.
What Xsolis exposed
The exposed information included names, dates of birth, addresses, Social Security numbers, health insurance information, and medical treatment information. That combination gives an attacker multiple ways to try identity fraud or misuse coverage-related data if the files are circulated later.
Xsolis also said it was not aware of any actual or attempted misuse of information because of this incident. That statement leaves a gap between access and harm: the files were reached, but the company has not pointed to abuse of them so far.
HHS tracker adds Xsolis
The Xsolis cybersecurity incident was added to the HHS data breach tracker on Monday. Early June is when Xsolis published a data security notice, which is the closest thing affected people have to a formal notice trail in the material available here.
No known ransomware group appears to have taken credit for the attack. Whether Xsolis was targeted in an extortion attempt and whether any ransom was paid is the unanswered question that still matters most for judging how much leverage the attacker may have had.
