AdaptHealth discloses patient data was stolen in cyberattack
AdaptHealth disclosed last week that a recent cyberattack resulted in patient data being stolen.
A threat actor gained unauthorized access to company systems through a social engineering attack and exfiltrated data, including certain personally identifiable information, protected health information of patients and stored password files associated with insurance billing, according to a July 2 filing with the Securities and Exchange Commission.
Based on information obtained to date, AdaptHealth believes that the threat actor gained unauthorized access to certain cloud-based business applications, including internal patient management systems and document storage platforms. The company also confirmed that certain external electronic health record system portals were accessed.
While AdaptHealth did not specifically detail the data that was taken, the company said it does not collect Social Security numbers in the affected system, and it does not store financial account information or payment card information in the systems.
AdaptHealth said the full scope of the affected data sets has not yet been determined, and specific information regarding the volume of the stolen data is not yet available.
The incident has been contained, according to the filing. The company is continuing to investigate the attack with external forensic teams.
“The Company has since taken steps intended to mitigate the risk of dissemination of the exfiltrated data,” AdaptHealth said.
AdaptHealth supplies medical devices like CPAP machines and other devices used for sleep apnea, continuous glucose monitors and insulin pumps. Its focus is on home-health supplies.
As of the date of the filing, the incident has not had a material impact on AdaptHealth’s operations and has not affected its ability to serve patients.
“At this time, the Company is unable to determine the full financial impact of the incident, including remediation and response costs, legal, regulatory and notification-related matters, and possible effects on patients, counterparties and the Company’s reputation,” it said. AdaptHealth said it holds cybersecurity insurance that may cover certain losses associated with the attack.
On June 27, the company determined the incident is material due to “the nature and potential volume of the data that is at risk.”
The cyber incident was the result of a social engineering attack that compromised a user session associated with a third-party contractor, according to the filing. Once the attack was detected, the company implemented containment measures, including disabling the compromised user account, resetting affected credentials and implementing additional access controls.
The threat actor notified the company on June 15 that it had taken data from its systems.
AdaptHealth’s incident is the latest in a run of cyberattacks in the medtech space. Stryker, Intuitive Surgical, Medtronic and iRhythm have all disclosed attacks in recent months. Stryker’s attack led to manufacturing and shipping disruptions that lasted for weeks, and meaningfully cut into its first-quarter earnings.