A data breach at a vendor for VHC Health may have jeopardized sensitive information including patients’ Social Security numbers, medical diagnoses and account numbers.
VHC Health mailed out notices of the phishing attack on June 5, but the attack on the vendor, Xsolis, Inc., took place on Jan. 22 — affecting an unspecified number of patients. The notices advise patients to “remain vigilant against fraud and identity theft.”
“We are notifying you of this incident because we have determined that some of your information may have been accessed, which may have included your Social Security number, date of birth, doctor name, health insurance provider, medical diagnosis information, medical record number, medical treatment dates, and patient ID or account number,” the notices say.
VHC Health told ARLnow that it was notified of the security incident on April 23, and that the attack “may have exposed information related to some VHC Health patients.”
“VHC Health took immediate action to ensure the breach was contained and Xsolis was taking the appropriate actions to remedy the situation,” the hospital center said. “Patients may receive individual notification from XSolis.”
Since the breach, Xsolis has reset passwords for all users and key accounts, increased monitoring of its systems and rolled out “updated security measures,” among other steps.
“Upon discovering the unauthorized activity, [Xsolis] immediately interrupted and contained the issue and terminated the unauthorized access,” the notices say. “As part of their response and investigation, they engaged external cybersecurity experts and notified law enforcement. There has been no evidence of unauthorized activity within our vendor’s environment since January 22, 2026.”
Potentially affected individuals will receive a notice in the mail with a code for a year of free monitoring and identity protection services.
They’re encouraged to regularly review account statements, monitor their credit reports and report any suspicious activity to their bank. VHC Health encourages patients to visit www.xsolisdataincident.com for more information.
“Protecting your information is important to us. We trust that the services we are offering to you demonstrate our continued commitment to your security and satisfaction,” the notices say. “We deeply regret any inconvenience that this incident may have caused and appreciate your partnership.”
