Carle Health Patient Data Breach Linked to XSolis Phishing Attack

Written by 
Published on:
July 14, 2026
Updated on:
July 14, 2026

Not every data breach starts inside the company that sends the notification letter. That’s exactly what happened with Carle Health, the nonprofit hospital system based in Urbana, Illinois. The organization recently confirmed that patient information was compromised through a third-party vendor — not its own network. Unfortunately, the fact remains that patient data has allegedly been compromised and individuals deserve answers. Contact our data breach lawyers to learn more.

Tracing the Breach Back to Its Source

XSolis, a vendor Carle Health uses for case and utilization management, first detected unusual activity on its network on January 22, 2026. The company later determined the cause was a targeted phishing attack. It took months of investigation before XSolis could identify whose data was affected. Around 1.4 million individuals may be impacted in the XSolis incident.

XSolis notified Carle Health on April 23, 2026, roughly three months after the intrusion was first detected. The breach was reported to the U.S. Department of Health and Human Services on June 19, 2026. In total, approximately 1,444 Carle Health patients had personal and medical information involved.

The Kind of Data Patients Need to Worry About

Carle Health has confirmed that its own medical records system and internal network were not breached. However, patient data that passed through XSolis during routine case management was exposed. Reports indicate the compromised information may include:

  • Patient names and dates of birth
  • Social Security numbers
  • Treating physician names
  • Health insurance details
  • Diagnoses and medical record numbers
  • Dates and locations of treatment

This combination creates a detailed picture of a patient’s health history paired with key identifiers that can be used for identity theft or medical fraud.

Hospitals rely heavily on outside vendors for services ranging from billing to case management. Each vendor represents a potential point of failure. Under federal privacy laws like HIPAA, healthcare organizations must vet vendors and ensure proper safeguards through contracts. Gaps in oversight can create legal exposure for the hospital system.

Talk to a Lawyer About Filing a Data Breach Claim

When a breach occurs through a vendor, patients often wonder who is truly accountable — the hospital or the third party. The Lyon Firm has years of experience helping patients navigate these complex healthcare data breach cases. We offer free, confidential consultations and work on a contingency-fee basis. Reach out to The Lyon Firm today to discuss your situation and explore your options.

This post includes details that are current as of publication and subject to change. Talk to a licensed attorney about your specific situation. No representation is made that Carle Health or XSolis engaged in any wrongdoing.

Contact Us

Request a Free Consultation

Taking the first step doesn’t have to be complicated. In just a few minutes, you can share the basics of your case, and our team will guide you from there:

  • It begins with a few simple questions about your situation.
  • From there, a member of our legal team reviews your case.
  • Together, we’ll chart the path forward, helping you take the next step toward resolution.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.