AdaptHealth has disclosed a material cybersecurity incident involving unauthorized access to patient data and is investigating the scope of the data theft after a threat actor claimed to have obtained files containing patient information.
SEC Filing Describes Cybersecurity Incident
AdaptHealth, a publicly traded healthcare company that provides home medical equipment, diabetes supplies, and sleep therapy products, reported the incident in a Form 8-K filing with the U.S. Securities and Exchange Commission.
The company stated that on June 15, 2026, a threat actor contacted AdaptHealth and claimed to possess files containing patient data. AdaptHealth initiated an investigation, retained third-party cybersecurity specialists, and notified law enforcement.
The investigation determined that certain cloud-based business applications were accessed by the threat actor. The affected systems included internal patient management systems and document storage platforms. AdaptHealth stated that the threat actors extracted compromised files containing personally identifiable information (PII) and protected health information (PHI).
AdaptHealth stated that it considers the event to be a material cybersecurity incident because of the nature of the information involved and the potential volume of data at risk.
Investigation Identified Initial Access Method
AdaptHealth stated that its investigation has determined that the unauthorized access resulted from a response to a social engineering attack involving a third-party contractor.
According to the company, the attack allowed the contractor’s credentials to be obtained. The threat actor also obtained a stored password file associated with insurance billing and access to external electronic health record portals.
The investigation remains ongoing.
Response Measures Implemented
In response to the security breach, AdaptHealth disabled the affected account, reset all credentials, and implemented additional access controls.
The company stated that the cybersecurity incident has not affected its operations or patient services.
AdaptHealth stated that it is continuing its review to determine the full extent of the data theft.
Scope of the Incident Remains Under Review
AdaptHealth stated that the types of information involved have not yet been determined and the number of affected individuals is unknown.
The company does not gather patients’ Social Security numbers. Patients’ financial account information and payment card information are not stored in the compromised systems. The financial impact of the incident is still under investigation.
AdaptHealth indicated that potential costs could include forensic services, breach notification activities, legal and regulatory responses, and remediation measures.
AdaptHealth maintains a cybersecurity insurance policy that may cover certain losses associated with the incident.
Report Identifies Apparent Extortion Attempt
One approved source reported that AdaptHealth has not identified the threat actor responsible for the incident. Butthe incident appears to be a data theft and extortion attempt involving the ShinyHunters threat group. That report stated that ShinyHunters added AdaptHealth to its data leak site and threatened to publish the stolen data if a ransom is not paid after issuing a final warning.
The Form 8-K filed with the U.S. Securities and Exchange Commission does not identify a threat actor.