Home / The Long Read / Research
Long Read

AdaptHealth breach reached patient data through a third-party contractor's stolen credentials

AdaptHealth told the SEC that attackers reached patient data through a third-party contractor's stolen credentials, obtained by social engineering. The number of affected individuals is not yet confirmed. For third-party risk teams, contractor and vendor accounts are part of the attack surface.

AdaptHealth breach reached patient data through a third-party contractor's stolen credentials
TL;DR

AdaptHealth told the SEC that attackers reached patient data through a third-party contractor's stolen credentials, obtained by social engineering. The number of affected individuals is not yet confirmed. For third-party risk teams, contractor and vendor accounts are part of the attack surface.

AdaptHealth, a US home medical equipment provider, has told the Securities and Exchange Commission (SEC) that attackers reached its patient data through a third-party contractor. The company says a social engineering attack (manipulating a person, not exploiting software) let the intruder obtain the contractor's login credentials, then use them to enter cloud-based business applications holding patient information. AdaptHealth determined the incident to be material on 27 June 2026 and disclosed it in a Form 8-K. The lesson for other organisations: your contractors' and vendors' accounts are part of your attack surface, and one borrowed identity can reach the systems where regulated data lives.

AdaptHealth breach (June 2026): the entry point was a borrowed identity No system was broken into. A third-party contractor's stolen credentials reached the apps where patient data lives. Threat actor social engineering (people, not code) ShinyHunters (claimed, unverified) Third-party contractor credentials stolen AdaptHealth cloud business apps patient management systems document storage platforms external EHR portals Data exfiltrated Personally identifiable info (PII) Protected health info (PHI) Insurance-billing password file Affected individuals: not yet confirmed Not affected, per AdaptHealth: Social Security numbers (not collected), payment card and financial account data, operations and patient services Third-party risk, in one line: Attackers did not break a system. They borrowed a contractor's identity, and it reached the apps where patient data lives. Sources: AdaptHealth Form 8-K (SEC), The HIPAA Journal, The Register. Draft diagram for Breach Wire, Supplier Shield.

What happened

According to AdaptHealth's Form 8-K, a threat actor contacted the company on 15 June 2026, claiming to hold files with patient data. AdaptHealth's investigation found that the unauthorised access followed a social engineering attack on a third-party contractor, which allowed the contractor's credentials to be obtained. Using that access, the intruder reached cloud-based business applications, including internal patient management systems and document storage platforms, and external electronic health record portals. Files containing personally identifiable information (PII) and protected health information (PHI, health data protected under US law) were taken. A stored password file tied to insurance billing was also obtained. AdaptHealth says it does not collect Social Security numbers, and that payment card and financial account data are not stored in the affected systems. The number of affected individuals is not yet confirmed, and the review is ongoing. The ShinyHunters extortion group has claimed the attack and added AdaptHealth to its leak site. AdaptHealth has not named or confirmed the actor, so that claim is unverified.

Why it matters for third-party risk

The entry point was not AdaptHealth's own staff or software. It was a contractor's identity. This is the supplier-as-weak-link pattern in a pure form: the attackers did not break into a system, they borrowed a trusted account and walked in. Contractor and vendor credentials often carry standing access to core applications, yet they frequently sit outside the identity controls a company applies to its own employees. When a company measures its attack surface only by its own systems, that gap is invisible until it is used.

What teams should take from it

Treat third-party and contractor accounts as first-class identities. Enforce phishing-resistant multi-factor authentication on them, scope their access to the minimum each role needs, and monitor those sessions for unusual activity. Then map which vendor and contractor accounts can reach systems holding regulated data, because that inventory, not the org chart, is where breach impact is actually decided. To see how continuous vendor monitoring works, Acuna's supplier-risk resource sets out the practice.

FAQ

Was this a breach of AdaptHealth's own systems?

No. AdaptHealth says the access came through a third-party contractor's stolen credentials, obtained via social engineering, which then reached its cloud-based business applications.

What data was affected?

Files with PII and PHI, plus a stored password file tied to insurance billing. AdaptHealth says it does not collect Social Security numbers, and that payment card and financial account data were not held in the affected systems.

How many people are affected?

AdaptHealth has not confirmed a number. The company says the investigation is ongoing and the extent of data theft is still being determined.

What to do next

Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.

Read next

Progress tells ShareFile customers to pull the plug: an ICT supplier's threat becomes everyone's downtime

Progress tells ShareFile customers to pull the plug: an ICT supplier's threat becomes everyone's downtime

On 10 July 2026 Progress Software told ShareFile customers running Storage Zone Controllers to shut down the hosting Windows servers over a credible external threat. No patch, no CVE, and cloud access to affected accounts disabled. The pattern is concentration risk: one widely used file-sharing supplier is a single point of exposure, and its emergency is inherited by everyone downstream, including firms that only touch it through a vendor.

Read article
Deutsche Bank incident began at a third-party marketing platform, not the bank's network

Deutsche Bank incident began at a third-party marketing platform, not the bank's network

A cyber incident tied to Deutsche Bank started at a third-party marketing and incentive platform in Germany, not the bank's own network. The Unsafe ransomware group posted alleged employee records; Deutsche Bank says its systems were not affected and the scope is unconfirmed. For financial firms, the lesson is a DORA register one: an edge supplier that holds employee or partner data still belongs in scope.

Read article
Hemmersbach ransomware claim: why a breach at an IT services supplier reaches toward its clients

Hemmersbach ransomware claim: why a breach at an IT services supplier reaches toward its clients

A ransomware group has claimed a breach of Hemmersbach, a German IT services provider that works inside its clients' technology estates. Researchers say the exposed data includes credentials to the firm's own identity systems. Hemmersbach has not confirmed the attack and the scope is unverified. For third-party risk teams, the lesson is about vendor access: a supplier's stolen login can become a route toward the clients it serves.

Read article
AdaptHealth breach: contractor credentials opened the door | Breach Wire | Supplier Shield