Hendrick Health Faces Class Action Lawsuit Over Delayed Data Breach Notification On June 18, 2026, Potts Law Firm filed a class action lawsuit in Taylor County, Texas, against Hendrick Health and its healthcare technology vendor, Xsolis, Inc., on behalf of patient Ada Louise McHenry and others affected by a January 2026 data breach. The lawsuit alleges that a phishing attack on Xsolis a third-party case management provider for Hendrick Health exposed sensitive patient data, including Social Security numbers, medical records, treatment details, and financial information. The breach, discovered on January 22, 2026, went unreported to affected patients until June 2026, exceeding the 60-day notification window required under federal health data protection laws. The lawsuit claims Hendrick Health and Xsolis failed to implement adequate cybersecurity measures and delayed notifying victims, increasing their risk of identity theft, fraud, and medical privacy violations. Plaintiff McHenry, a longtime Hendrick Health patient, alleges her personal and medical data was compromised. The proposed class includes all individuals whose information was exposed in the breach. The lawsuit seeks damages and injunctive relief for alleged negligence in safeguarding patient data and failing to provide timely breach notifications. The case, Ada Louise McHenry v. Hendrick Medical Center and Xsolis, Inc. (Cause No. 52545-A), is pending in Taylor County District Court.

Xsolis Healthcare AI Platform Hit by Phishing Attack, Exposing Sensitive Patient Data On January 22, 2026, Xsolis a provider of AI-driven case management services for healthcare organizations detected unauthorized activity on its network stemming from a phishing attack that occurred two days prior. The breach compromised files containing highly sensitive patient information, including names, addresses, dates of birth, health insurance details, Social Security numbers, and medical treatment records. The exposed data varied by individual. Xsolis’s Dragonfly platform is widely used by over 600 hospitals and healthcare systems, including major institutions like Advent Health, Mayo Clinic, and Honor Health. The company has begun notifying affected individuals via mail. The incident highlights the growing risk of phishing attacks targeting healthcare infrastructure, where AI-driven platforms manage vast amounts of protected health information. Legal investigations are underway to assess potential class action lawsuits on behalf of impacted individuals, focusing on privacy violations, financial losses, and other damages. No further details on the scope of affected patients or the attacker’s identity have been disclosed.

Rochester Regional Health Patients Notified of Data Breach After Phishing Attack Rochester Regional Health has confirmed a data breach affecting approximately 18,600 patients following unauthorized access to a third-party vendor’s system. The incident stemmed from a phishing attack in January, potentially exposing personal and protected health information. Patients received notification letters from Xsolis, Inc., a former vendor whose services ended in 2021. However, the letters contained errors including an incorrect name, "Rochester Regional Medical Center" leading many recipients to dismiss them as scams. Social media reactions reflected widespread skepticism, with some patients discarding the notices before verifying their legitimacy. This is not the first breach for Rochester Regional Health, which experienced similar incidents in 2020 and 2023. In December, the health system secured $15 million in state funding to bolster its cybersecurity defenses. Cybersecurity experts, including Rochester Institute of Technology professor Jonathan Weissman, warned that stolen healthcare data can be exploited for medical fraud, identity theft, and targeted scams. Children’s information is particularly vulnerable, as misuse may go undetected for years. Xsolis stated the unauthorized activity has been contained, with no evidence of data misuse to date. Affected patients were offered free 12-month identity monitoring. Rochester Regional Health emphasized its commitment to patient data security, noting it holds partners to strict privacy standards. The health system has requested corrections to the erroneous notifications.

Rochester Regional Health Patients Receive Confusing Breach Notifications After Vendor Incident Patients of Rochester Regional Health recently received mailed notifications regarding a data breach linked to a third-party vendor, Xsolis a case and utilization management services provider previously used by the healthcare system. The breach, discovered by the vendor, exposed sensitive patient information, though the hospital itself was not directly compromised. The notifications sparked confusion and skepticism among recipients due to several errors. The letters incorrectly identified the facility as "Rochester Regional Medical Center" instead of its proper name, Rochester Regional Health. Many recipients initially dismissed the notices as scams, particularly given the hospital’s history of prior breaches in 2020 and 2023. Rochester Regional Health later confirmed the legitimacy of the breach notifications, attributing the miscommunication to the vendor’s handling of the incident. The incident highlights ongoing challenges in third-party risk management and the importance of clear, accurate breach disclosures in maintaining patient trust.