AdaptHealth has revealed it was hit by a cyberattack resulting in data exfiltration last month, yet stressed that vital customer data such as payment card information was not compromised by the breach.
In a Form 8-K filed with the US Securities and Exchange Commission (SEC) on 2 July, the provider of home-based medical devices including continuous positive airway pressure (CPAP) machines said a threat actor reached out on 15 June, claiming to have obtained certain data from AdaptHealth’s systems.
Discover B2B Marketing That Performs
Combine business intelligence and editorial excellence to reach engaged professionals across 36 leading media platforms.
AdaptHealth confirmed that a breach had occurred, resulting in the exposure of patient data, including stored password files associated with insurance billing mandates and certain personally identifiable and protected health information (PHI). The cyber attacker had gained access through the company’s cloud-based applications, including certain patient management and document storage platforms.
By 27 June, AdaptHealth determined the incident ‘material’, given its nature and the potential volume of data placed at risk.
The Pennsylvania-based company stressed, however, that no Social Security numbers or individual financial account or payment card information of its customers had been exposed, given that no such information was stored within the systems.
Offering more details, AdaptHealth shared that since becoming aware of the cyberattack, it had discovered that the incident was the result of a ‘successful social engineering attack’ that compromised a user session associated with a third-party contractor.
Following detection, AdaptHealth promptly implemented containment measures, including disabling the compromised user account, resetting affected credentials, and implementing additional access controls, and the incident has been contained, the company stated.
While the full scope of affected datasets has not yet been determined, AdaptHealth concluded the Form 8-K by stating that it is continuing to investigate the nature and scope of the incident and taking steps to mitigate the risk of any exfiltrated data’s dissemination.
AdaptHealth’s breach is the latest in a maelstrom of cyberattacks that have impacted companies operating in the healthcare space in recent months. Medtronic was impacted by a cyber breach comparable to AdaptHealth’s in April, while Stryker was hit by an Iran-linked cyberattack in March that caused widespread disruption to its operations.
