AdaptHealth is investigating a material cybersecurity incident after a threat actor gained unauthorized access to certain company systems and exfiltrated data.
In a filing with the U.S. Securities and Exchange Commission (SEC), AdaptHealth says it received communication from a threat actor on June 15th, 2026, claiming possession of company data.
According to the home medical equipment provider, the bad actor had unauthorized access to cloud-based business applications, including internal patient management systems and document storage platforms.
AdaptHealth confirms certain data was stolen, including a stored password file associated with insurance billing, as well as personally identifiable information and protected health information of patients.
The company states the incident was a successful social engineering attack that compromised a user session from a third-party contractor. Containment measures have been implemented, and the incident is contained. The full scope of the data breach is still under investigation.
AdaptHealth reports the cybersecurity event has not impacted its operations or ability to serve patients. The company maintains cybersecurity insurance to cover potential losses from the breach.