AdaptHealth

AdaptHealth Investigates Data Breach After Social Engineering Attack, Possible Link to ShinyHunters Emerges

By MedTech Intelligence Staff
AdaptHealth

AdaptHealth is investigating a material cyberattack after attackers used a social engineering scheme to compromise a third-party contractor’s account, stealing patient data from its cloud-based systems as reports link the breach to the ShinyHunters extortion group, though the attribution remains unconfirmed.

AdaptHealth, a U.S. provider of home-based medical equipment, is continuing to investigate a material cyberattack that exposed patient information after attackers used a social engineering scheme to compromise a third-party contractor’s account and gain access to the company’s cloud environment.

The company disclosed the incident in a Form 8-K filed with the U.S. Securities and Exchange Commission (SEC) on July 2, stating that a threat actor gained unauthorized access to several cloud-based business applications, including internal patient management systems, document storage platforms, and certain external electronic health record (EHR) portals.

According to AdaptHealth, the breach resulted in the theft of patient data, including certain personally identifiable information (PII), protected health information (PHI), and stored password files associated with insurance billing. The company said the affected systems did not contain Social Security numbers, individual financial account information, or payment card data.

The incident began when attackers successfully carried out a social engineering attack against a third-party contractor, compromising an authenticated user session and allowing access to AdaptHealth’s cloud-based systems. After detecting the intrusion, the company disabled the affected account, reset credentials, implemented additional access controls, and engaged external digital forensics experts to investigate the breach.

AdaptHealth said a threat actor first contacted the company on June 15, claiming to possess company data. Following its investigation, the company determined on June 27 that the breach was material because of the nature of the incident and the potential volume of sensitive data involved, triggering SEC disclosure requirements.

While the forensic investigation remains ongoing, AdaptHealth has not disclosed how many patients were affected or the full scope of the compromised data. The company also has not confirmed whether a ransom demand was received or whether any negotiations took place.

In recent days, cybersecurity researchers have reported that the cybercrime group ShinyHunters has listed AdaptHealth on its data leak site, suggesting the group may be responsible for the attack. However, AdaptHealth has not attributed the incident to any specific threat actor, and no law enforcement agency has publicly confirmed the group’s involvement. As a result, any attribution to ShinyHunters remains unverified.

The company said it has taken steps to reduce the risk of further dissemination of the stolen data and emphasized that the incident has not disrupted its operations or affected its ability to continue serving patients.

AdaptHealth also said it is still assessing the financial impact of the breach, including incident response costs, legal and regulatory obligations, patient notification expenses, and potential reputational damage. The company noted that its cybersecurity insurance may offset some of these costs.

Meanwhile, several U.S. law firms have announced investigations into potential class-action litigation on behalf of individuals whose information may have been exposed. These investigations are in their early stages, and no court has certified a class action related to the incident.

The breach adds to a growing wave of cyberattacks targeting healthcare organizations, where attackers increasingly rely on identity-based attacks and social engineering rather than exploiting software vulnerabilities. By compromising trusted third-party accounts, threat actors can bypass traditional security controls and gain access to cloud-hosted systems containing sensitive patient information.

AdaptHealth has not yet announced when affected individuals will be notified, and the total number of impacted patients remains unknown. The company is expected to provide additional updates once its forensic investigation is complete and it has a clearer understanding of the scope of the breach.

Related Articles

About The Author

MedTech Intelligence