Almeida Law Group is investigating a data breach at Xsolis, Inc. The breach occurred on January 20th, 2026 and was discovered on an unspecified date. If you were affected, contact Almeida Law Group.
About Xsolis, Inc.
Xsolis, Inc. is an AI-driven healthcare technology company headquartered in Franklin, Tennessee. It provides case and utilization management software to hospitals, health systems, and health plans through its Dragonfly platform, which uses predictive analytics to assess medical necessity and level of care. The platform is used by more than 600 hospitals and healthcare organizations. Because Xsolis operates as a vendor, many affected individuals may never have heard of the company—their data was shared with Xsolis by their own healthcare providers.
What Happened?
Xsolis, Inc. was listed in a California Attorney General sample breach notice filed on June 19th, 2026. According to that notice and Xsolis’s own press release, the incident was a targeted phishing attack. An unauthorized actor gained access to a limited portion of the Xsolis environment and acquired a limited number of files. Xsolis detected the unauthorized activity on January 22nd, 2026 and says it immediately interrupted and contained the issue and terminated the unauthorized access. There has been no reported evidence of unauthorized activity within the Xsolis environment since January 22nd, 2026, and no evidence of misuse of the impacted data has been identified. Depending on the individual, information that may have been involved includes name, address, date of birth, health insurance information, Social Security number, and medical treatment information. Xsolis is offering 12 months of identity monitoring services through Kroll at no cost to affected individuals.
The total number of people affected across all Xsolis clients has not been publicly disclosed. Rochester Regional Health confirmed that approximately 18,600 of its patients were affected, noting that its relationship with Xsolis had ended in 2021—meaning Xsolis still held legacy patient data at the time of the breach. VHC Health also confirmed it was among the affected clients. Xsolis publicly disclosed the incident via a press release on June 5th, 2026, roughly four and a half months after detection on January 22nd, 2026. No ransomware group or specific threat actor has been publicly attributed to this incident. As of June 19th, 2026, multiple law firms—including Levi & Korsinsky LLP, Migliaccio & Rathod LLP, and Markovits, Stock & DeMarco LLC—have announced class action investigations, though no filed complaints have been confirmed.
Key Facts at a Glance
- Company or Organization: Xsolis, Inc.
- Industry: Healthcare technology / AI-driven utilization management software vendor
- Location: Franklin, Tennessee
- Incident type: Phishing attack; unauthorized access to and acquisition of files
- Date of breach: January 20th, 2026
- Date breach discovered: January 22nd, 2026
- Date of consumer notification: June 19th, 2026
- Identity theft protection offered: 12 months of Kroll identity monitoring (credit monitoring, fraud consultation, identity theft restoration) at no cost
- Prior breach: None found
- Litigation status: Multiple law firm class action investigations announced as of June 19th, 2026; no filed complaints confirmed
- Source: California Attorney General sample breach notice (https://oag.ca.gov/ecrime/databreach/reports/sb24-625166); Xsolis press release (https://www.prnewswire.com/news-releases/xsolis-inc-provides-notice-of-data-security-incident-302791875.html); Rochester Regional Health / WHEC (https://www.whec.com/top-news/rochester-regional-health-data-breach-letters-sent-to-18600-patients-after-third-party-vendor-xsolis-hack/)
What Should You Do?
If you received a notice from Xsolis or a healthcare provider that uses Xsolis, you should enroll in the free 12-month Kroll identity monitoring service using the activation code and verification ID provided in your notice. Even if you have not yet received a notice, consider placing a fraud alert or credit freeze with the three major credit bureaus—Equifax, Experian, and TransUnion—and review your credit reports at AnnualCreditReport.com. Monitor your financial accounts and explanation of benefits statements from your health insurer for any charges or services you do not recognize, and review your medical records for inaccuracies that could indicate medical identity theft. If you spot anything suspicious, report it to your bank, insurer, or the Federal Trade Commission at IdentityTheft.gov.
Your Legal Rights
If your personal or health information was involved in this breach, you may have legal rights depending on the facts of the incident and the law in your state. Almeida Law Group represents consumers in data breach and privacy litigation and can help you evaluate whether you may have a claim. Contact us at (708) 529-5418 or through our contact page for a free case evaluation.
