What happened
RXNT, a healthcare software company providing electronic health record solutions, has begun notifying client organizations about a data breach in which an unauthorized actor accessed one of its solutions and obtained patient data between March 1 and March 3, 2026. The company completed its data review on April 17 and sent notification letters to affected clients dated May 1, giving providers until May 15 to register for further information through a dedicated notification website.
The stolen data includes patient names, dates of birth, and demographic information such as addresses, contact details, and patient IDs. RXNT has confirmed that multiple clients were affected and has notified each individually about the number of patients impacted by their specific instance. The total number of affected individuals has not been publicly disclosed. RXNT has offered to handle all breach reporting obligations on behalf of affected clients, including OCR notifications, media notices, individual patient notifications, and state attorney general disclosures.
Who is affected
Healthcare providers using RXNT’s EHR software are the directly notified parties, with patient data across multiple client organizations confirmed as exposed. Patients whose records were stored in the accessed system face potential exposure of their personal and demographic information. The scope across providers is still being established as the May 15 registration deadline approaches.
Why CISOs should care
The RXNT breach follows the now-standard pattern for healthcare software vendor incidents: a narrow access window, a weeks-long investigation, and a short notification timeline that places significant pressure on affected provider organizations to assess their exposure, fulfill regulatory obligations, and communicate with patients simultaneously. The offer to handle breach reporting on behalf of clients is notable but introduces its own risk. Providers that delegate notification handling to the breached vendor are still legally responsible for compliance under HIPAA and applicable state laws, and the tight May 15 registration window leaves little time to evaluate whether that delegation is appropriate.
3 practical actions
- Contact RXNT immediately if your organization uses its EHR software and has not yet received notification: The breach affected multiple clients, and the May 15 registration deadline for accessing further incident information is approaching. Do not wait for outreach if your organization uses RXNT products and has not been contacted.
- Review the legal implications of delegating breach notification to RXNT before signing on: RXNT’s offer to handle OCR notifications, individual notices, and state AG filings on behalf of affected clients is operationally convenient but does not transfer legal liability. Ensure your legal and compliance counsel reviews the arrangement before agreeing, and confirm that any notifications sent by RXNT on your behalf meet your specific state and federal requirements.
- Assess what patient data was accessible within your RXNT instance and prepare for potential patient inquiries: RXNT has notified each client individually about the number of affected patients. Use that information to prepare patient communication templates and identity protection guidance, and confirm whether the exposed data categories trigger any notification obligations beyond HIPAA in the states where your patients are located.
Also in the news today:
- CMS Provider Directory Database Found Leaking Healthcare Providers’ Social Security Numbers
- CISA Launches CI Fortify to Prepare Critical Infrastructure for Geopolitical Cyber Conflict
- Mirai-Based xlabs_v1 Botnet Exploits Android Debug Bridge to Hijack IoT Devices
- Cisco Releases Fix for DoS Flaw That Requires Manual Reboot to Recover
- MuddyWater Hackers Use Chaos Ransomware as a Decoy in Espionage Attacks
- Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks
