Rochester Regional Health Patients Notified of Data Breach After Phishing Attack
Rochester Regional Health has confirmed a data breach affecting approximately 18,600 patients following unauthorized access to a third-party vendor’s system. The incident stemmed from a phishing attack in January, potentially exposing personal and protected health information.
Patients received notification letters from Xsolis, Inc., a former vendor whose services ended in 2021. However, the letters contained errors including an incorrect name, "Rochester Regional Medical Center" leading many recipients to dismiss them as scams. Social media reactions reflected widespread skepticism, with some patients discarding the notices before verifying their legitimacy.
This is not the first breach for Rochester Regional Health, which experienced similar incidents in 2020 and 2023. In December, the health system secured $15 million in state funding to bolster its cybersecurity defenses.
Cybersecurity experts, including Rochester Institute of Technology professor Jonathan Weissman, warned that stolen healthcare data can be exploited for medical fraud, identity theft, and targeted scams. Children’s information is particularly vulnerable, as misuse may go undetected for years. Xsolis stated the unauthorized activity has been contained, with no evidence of data misuse to date.
Affected patients were offered free 12-month identity monitoring. Rochester Regional Health emphasized its commitment to patient data security, noting it holds partners to strict privacy standards. The health system has requested corrections to the erroneous notifications.
Rochester Regional Health cybersecurity rating report: https://www.rankiteo.com/company/rochesterregionalhealth
Xsolis cybersecurity rating report: https://www.rankiteo.com/company/xsolis
"id": "ROCXSO1781563504",
"linkid": "rochesterregionalhealth, xsolis",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '18,600 patients',
'industry': 'Healthcare',
'location': 'Rochester, New York',
'name': 'Rochester Regional Health',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare Technology',
'name': 'Xsolis, Inc.',
'type': 'Third-party Vendor'}],
'attack_vector': 'Phishing',
'customer_advisories': 'Free 12-month identity monitoring offered to affected '
'patients; request for corrections to erroneous '
'notifications.',
'data_breach': {'number_of_records_exposed': '18,600',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (health records, personally '
'identifiable information)',
'type_of_data_compromised': 'Personal and protected health '
'information'},
'date_detected': '2024-01',
'description': 'Rochester Regional Health confirmed a data breach affecting '
'approximately 18,600 patients following unauthorized access '
'to a third-party vendor’s system. The incident stemmed from a '
'phishing attack in January, potentially exposing personal and '
'protected health information. Patients received notification '
'letters with errors, leading to skepticism and dismissal of '
'the notices as scams.',
'impact': {'brand_reputation_impact': 'Negative social media reactions and '
'skepticism',
'customer_complaints': 'Widespread skepticism and dismissal of '
'notices',
'data_compromised': 'Personal and protected health information',
'identity_theft_risk': 'High (medical fraud, identity theft, '
'targeted scams)',
'systems_affected': 'Third-party vendor (Xsolis, Inc.) system'},
'investigation_status': 'Contained, no evidence of data misuse to date',
'lessons_learned': 'Importance of verifying third-party vendor security, need '
'for accurate communication in breach notifications, and '
'risks of healthcare data exposure for medical fraud and '
'identity theft.',
'post_incident_analysis': {'corrective_actions': 'Secured $15 million in '
'state funding for '
'cybersecurity defenses; '
'requested corrections to '
'erroneous notifications.',
'root_causes': 'Phishing attack on third-party '
'vendor (Xsolis, Inc.)'},
'recommendations': 'Enhance third-party vendor security assessments, improve '
'breach notification accuracy, and invest in cybersecurity '
'defenses (e.g., $15 million state funding secured).',
'references': [{'source': 'Rochester Regional Health'},
{'source': 'Xsolis, Inc.'},
{'source': 'Jonathan Weissman (Rochester Institute of '
'Technology)'}],
'response': {'communication_strategy': 'Notification letters sent to patients '
'(with errors)',
'containment_measures': 'Unauthorized activity contained',
'remediation_measures': 'Free 12-month identity monitoring '
'offered to affected patients'},
'title': 'Rochester Regional Health Patients Notified of Data Breach After '
'Phishing Attack',
'type': 'Data Breach'}