
AdaptHealth told the SEC that attackers reached patient data through a third-party contractor's stolen credentials, obtained by social engineering. The number of affected individuals is not yet confirmed. For third-party risk teams, contractor and vendor accounts are part of the attack surface.
AdaptHealth, a US home medical equipment provider, has told the Securities and Exchange Commission (SEC) that attackers reached its patient data through a third-party contractor. The company says a social engineering attack (manipulating a person, not exploiting software) let the intruder obtain the contractor's login credentials, then use them to enter cloud-based business applications holding patient information. AdaptHealth determined the incident to be material on 27 June 2026 and disclosed it in a Form 8-K. The lesson for other organisations: your contractors' and vendors' accounts are part of your attack surface, and one borrowed identity can reach the systems where regulated data lives.
What happened
According to AdaptHealth's Form 8-K, a threat actor contacted the company on 15 June 2026, claiming to hold files with patient data. AdaptHealth's investigation found that the unauthorised access followed a social engineering attack on a third-party contractor, which allowed the contractor's credentials to be obtained. Using that access, the intruder reached cloud-based business applications, including internal patient management systems and document storage platforms, and external electronic health record portals. Files containing personally identifiable information (PII) and protected health information (PHI, health data protected under US law) were taken. A stored password file tied to insurance billing was also obtained. AdaptHealth says it does not collect Social Security numbers, and that payment card and financial account data are not stored in the affected systems. The number of affected individuals is not yet confirmed, and the review is ongoing. The ShinyHunters extortion group has claimed the attack and added AdaptHealth to its leak site. AdaptHealth has not named or confirmed the actor, so that claim is unverified.
Why it matters for third-party risk
The entry point was not AdaptHealth's own staff or software. It was a contractor's identity. This is the supplier-as-weak-link pattern in a pure form: the attackers did not break into a system, they borrowed a trusted account and walked in. Contractor and vendor credentials often carry standing access to core applications, yet they frequently sit outside the identity controls a company applies to its own employees. When a company measures its attack surface only by its own systems, that gap is invisible until it is used.
What teams should take from it
Treat third-party and contractor accounts as first-class identities. Enforce phishing-resistant multi-factor authentication on them, scope their access to the minimum each role needs, and monitor those sessions for unusual activity. Then map which vendor and contractor accounts can reach systems holding regulated data, because that inventory, not the org chart, is where breach impact is actually decided. To see how continuous vendor monitoring works, Acuna's supplier-risk resource sets out the practice.
FAQ
Was this a breach of AdaptHealth's own systems?
No. AdaptHealth says the access came through a third-party contractor's stolen credentials, obtained via social engineering, which then reached its cloud-based business applications.
What data was affected?
Files with PII and PHI, plus a stored password file tied to insurance billing. AdaptHealth says it does not collect Social Security numbers, and that payment card and financial account data were not held in the affected systems.
How many people are affected?
AdaptHealth has not confirmed a number. The company says the investigation is ongoing and the extent of data theft is still being determined.
Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.


