STOCK TITAN

Patient data exposed in AdaptHealth (AHCO) material cybersecurity incident

Filing Impact
(Moderate)
Filing Sentiment
(Neutral)
Form Type
8-K

Rhea-AI Filing Summary

AdaptHealth Corp. reports a material cybersecurity incident involving patient data. A threat actor gained unauthorized access to certain cloud-based business applications, including internal patient management systems and document storage platforms, via a social engineering attack on a third-party contractor’s user session.

The company confirmed exfiltration of a stored password file tied to insurance billing and access to external electronic health record portals, affecting passwords and some patients’ personally identifiable and protected health information. The affected systems do not contain Social Security numbers or individual financial account or payment card data.

AdaptHealth has disabled the compromised account, reset credentials, added access controls, engaged external cybersecurity experts and notified law enforcement. As of this report, operations and patient services have not been materially impacted, though the full scope of data involved and the financial impact remain under investigation. The company notes that cybersecurity insurance may cover certain losses.

Positive

  • None.

Negative

  • The company reports a material cybersecurity incident involving unauthorized access to patient-related systems, exfiltration of billing passwords, and exposure of personally identifiable and protected health information, with the full scope and financial impact still undetermined.

Insights

Material breach of patient data creates ongoing legal, regulatory and reputational risk.

AdaptHealth describes a material cybersecurity incident involving unauthorized access to cloud-based patient systems and exfiltration of passwords and protected health information. For a healthcare-focused business, exposure of clinical and identifying data raises potential compliance and trust concerns.

The company states that operations and patient services remain intact, but the volume and categories of affected data are still being assessed. Possible costs include forensics, notification, legal and regulatory responses, and any remediation measures, partly offset by cybersecurity insurance where applicable.

The ultimate impact will depend on final findings about the data sets involved, any misuse or publication of information, and outcomes of regulatory or contractual processes referenced alongside risks in the company’s Form 10-K for the year ended December 31, 2025 and subsequent Form 10-Q filings.

Item 1.05 Material Cybersecurity Incidents Business
A cybersecurity incident that the company has determined to be material to investors.
Materiality determination date June 27, 2026 Date company determined the cybersecurity incident was material
Threat actor communication date June 15, 2026 Date threat actor claimed to have obtained company data
Third-party contractor session 1 user session compromised Successful social engineering attack on contractor’s user session
Social Security numbers in affected systems None collected Affected systems do not contain Social Security numbers
Material Cybersecurity Incidents regulatory
"Item 1.05 Material Cybersecurity Incidents. AdaptHealth Corp. (the “Company”) is investigating a security incident"
social engineering attack technical
"The incident was the result of a successful social engineering attack that compromised a user session"
protected health information medical
"The data affected includes passwords associated with insurance billing and certain personally identifiable information and protected health information of patients."
Protected health information is any personal medical or health-related data that can identify an individual—examples include diagnoses, treatment records, test results, insurance details, or an address when tied to health information. It matters to investors because organizations that collect, store or share this data face strict privacy laws, high breach and liability risk, and potential fines or reputational damage, making PHI a valuable but legally sensitive asset.
personally identifiable information financial
"The data affected includes passwords associated with insurance billing and certain personally identifiable information and protected health information of patients."
Personally identifiable information (PII) is any data that can directly or indirectly identify a single person — for example: full name, home address, national ID numbers, phone or email, financial account details, or unique biometric data. Investors care because mishandling or loss of PII can trigger regulatory fines, costly cleanup and lost customer trust; think of a data breach like losing the keys to many customers’ homes, which can hurt a company’s finances and stock value.
forward-looking statements regulatory
"This on contains statements that are not historical facts but are forward-looking statements for purposes of the safe harbor"
Forward-looking statements are predictions or plans that companies share about what they expect to happen in the future, like estimating sales or profits. They matter because they help investors understand a company's outlook, but since they are based on guesses and assumptions, they can sometimes be wrong.
See more from StockTitan in Google Search and AI answers. Adds StockTitan as a preferred source · opens Google
Add on Google
Learn about SEC filing dates
0001725255false00017252552026-06-272026-06-27

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

WASHINGTON, D.C. 20549

FORM 8-K

CURRENT REPORT

Pursuant to Section 13 OR 15(d)

of The Securities Exchange Act of 1934

Date of Report (Date of earliest event reported): June 27, 2026

AdaptHealth Corp.

(Exact name of registrant as specified in its charter)

Delaware

  ​ ​ ​

001-38399

  ​ ​ ​

82-3677704

(State or other jurisdiction of
incorporation)

 

(Commission File Number)

 

(IRS Employer Identification No.)

555 East North Lane, Suite 5075

Conshohocken, PA

  ​ ​ ​

19428

(Address of principal executive offices)

 

(Zip Code)

 

 

 

(610) 424-4515

(Registrant’s telephone number, including area code)

Not Applicable

(Former name or former address, if changed since last report.)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of each class

  ​ ​ ​

Trading
Symbol(s)

  ​ ​ ​

Name of each exchange on which
registered

Common Stock, par value $0.0001 per share 

 

AHCO 

 

The Nasdaq Stock Market LLC

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.

Item 1.05 Material Cybersecurity Incidents.

AdaptHealth Corp. (the “Company”) is investigating a security incident whereby a threat actor gained unauthorized access to Company systems and exfiltrated certain data therefrom. Upon learning of the incident, the Company promptly activated its incident response procedures, launched the investigation with the support of external advisors and cybersecurity experts to assess and contain the threat and notified law enforcement. While the investigation is ongoing, the Company has been able to confirm certain facts about the incident, and on June 27, 2026, the Company determined that the incident is material, due to the nature and potential volume of the data that is at risk.

Specifically, based on information obtained to date, the Company believes that a threat actor gained unauthorized access to certain of the Company’s cloud-based business applications, including certain internal patient management systems and document storage platforms. On June 15, 2026, the Company received a communication from a threat actor claiming to have obtained certain data from the Company’s systems. The Company has confirmed that certain data was exfiltrated from its systems including a stored password file associated with insurance billing; the Company also has confirmed that certain external electronic health record system portals were accessed by the threat actor.

The data affected includes passwords associated with insurance billing and certain personally identifiable information and protected health information of patients. The Company does not collect Social Security numbers in the affected systems and does not store individual financial account information or payment card information in those systems.

The incident was the result of a successful social engineering attack that compromised a user session associated with a third-party contractor. Following detection, the Company promptly implemented containment measures, including disabling the compromised user account, resetting affected credentials, and implementing additional access controls, and the incident has been contained. The Company is continuing to investigate the nature and scope of the incident with external forensics teams. The full scope of affected data sets has not yet been determined, and specific information regarding the volume of data at issue is not yet available. The Company has since taken steps intended to mitigate the risk of dissemination of the exfiltrated data.

As of the date of this Report, the incident has not had a material impact on the Company’s operations and has not affected the Company’s ability to service its patients. At this time, the Company is unable to determine the full financial impact of the incident, including remediation and response costs, legal, regulatory and notification-related matters, and possible effects on patients, counterparties and the Company’s reputation. The Company maintains cybersecurity insurance that may cover certain losses associated with the incident.

To the extent any information required by Item 1.05 of Form 8-K was not determined or was unavailable at the time of this filing, the Company will amend this Current Report on Form 8-K as such information is determined or becomes available.

Forward-Looking Statements

This Current Report on Form 8-K contains statements that are not historical facts but are forward-looking statements for purposes of the safe harbor provisions under the United States Private Securities Litigation Reform Act of 1995. Forward-looking statements generally are accompanied by words such as “believe,” “may,” “will,” “estimate,” “continue,” “anticipate,” “intend,” “expect,” “should,” “would,” “plan,” “predict,” “potential,” “seem,” “seek,” “future,” “outlook,” and similar expressions that predict or indicate future events or trends or that are not statements of historical matters. The forward-looking statements include, but are not limited to, statements regarding the Company’s current beliefs, understanding, and expectations regarding the incident; statements regarding the nature and scope of the incident; the Company’s ongoing assessment of the extent, categories and volume of data that was accessed or exfiltrated; the Company’s ongoing efforts to assess and contain the threat, including the Company’s assessment of whether there is any ongoing unauthorized access to its systems; the availability and adequacy of the Company’s insurance coverage; and the potential impact of the incident on the Company’s business, operations, financial condition and results of operations. These statements are based on current information, estimates and assumptions and are subject to known and unknown risks and uncertainties. Actual results may differ materially from those expressed or implied by these forward-looking statements. Factors that could cause actual results to differ from those expressed in these forward-looking statements include the ongoing assessment of the incident; the inability to determine the full scope of affected data sets and volume of data involved; the potential publication or misuse of affected data by the threat actor or other parties; legal, regulatory, reputational, and financial risks resulting from the incident or additional cybersecurity incidents; and the risks described in the Company’s Annual Report on Form 10-K for the year ended December 31, 2025 and subsequent Quarterly Reports on Form 10-Q. Except as required by law, the Company undertakes no obligation to update these statements.

- 2 -

SIGNATURES

Pursuant to the requirements of the Securities Exchange Act of 1934, as amended, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

Dated: July 2, 2026

AdaptHealth Corp.

By:

/s/ Richard Rew

 

Name:

Richard Rew

 

Title:

Chief Legal Officer, General Counsel and Secretary

- 3 -

FAQ

What cybersecurity incident did AdaptHealth (AHCO) disclose in this 8-K?

AdaptHealth disclosed a material cybersecurity incident where a threat actor accessed certain cloud-based business applications and patient management systems. Data was exfiltrated, including an insurance billing password file and patient personally identifiable and protected health information, prompting a full investigation with external cybersecurity experts.

What types of patient data were affected in AdaptHealth’s cybersecurity incident?

The incident affected passwords related to insurance billing plus certain patients’ personally identifiable information and protected health information. The company states that the impacted systems do not contain Social Security numbers or individual financial account or payment card data, limiting direct financial credential exposure from this specific breach.

How did the cybersecurity breach at AdaptHealth (AHCO) occur?

AdaptHealth reports the incident resulted from a successful social engineering attack that compromised a user session for a third-party contractor. This allowed a threat actor to gain unauthorized access to specific cloud-based business applications and external electronic health record portals before the compromised account was disabled and credentials were reset.

Has AdaptHealth’s cybersecurity incident affected its operations or patient services?

AdaptHealth states that, as of the report date, the cybersecurity incident has not had a material impact on operations or its ability to serve patients. Containment measures, such as disabling the compromised account and adding access controls, were implemented while forensic investigations continue to define the full scope of affected data.

What steps is AdaptHealth (AHCO) taking in response to the cybersecurity incident?

AdaptHealth activated incident response procedures, engaged external advisors and forensics teams, disabled the compromised account, reset affected credentials, and implemented additional access controls. The company notified law enforcement and is working to mitigate dissemination risks for exfiltrated data while continuing to assess the nature and volume of impacted information.

Does AdaptHealth have insurance coverage for this cybersecurity breach?

AdaptHealth notes that it maintains cybersecurity insurance that may cover certain losses associated with the incident. The company has not yet determined the full financial impact, including remediation, legal, regulatory, and notification costs, or how much of those costs insurance will ultimately reimburse.

What financial impact could AdaptHealth’s cybersecurity incident have on the company?

AdaptHealth indicates it is currently unable to determine the full financial impact of the incident. Potential effects include remediation and response expenses, legal and regulatory matters, notification obligations, and reputational consequences, although some losses may be offset by cybersecurity insurance where coverage applies under existing policies.

Filing Exhibits & Attachments

4 documents