Xsolis, a healthcare technology company serving over 600 hospitals, just disclosed that attackers accessed files containing PHI for 1.4 million people. The attack started with phishing on January 20, 2026. Two days later, someone noticed “unauthorized activity” on the network.
By then, the damage was done. The attackers had already read files containing names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment records.
The Problem: Network Access Doesn’t Require File Access
Here’s the uncomfortable part: the phishing attack gave the scumbags network credentials. That’s bad. But the actual breach — the part where 1.4 million patient records got compromised — required reading files from disk.
Once they had credentials, they could use any program they wanted to open those files. A custom exfiltration tool, a PowerShell script, a legitimate file transfer utility — it doesn’t matter. Windows handed over the files because the request came from an authenticated user.
Xsolis reset passwords, accelerated security training, and strengthened credential management. All reasonable responses. But none of those stop the core problem: once someone has credentials, they can read your files.
How FileSure Stops Unauthorized File Reads
FileSure operates at the Windows kernel level via a filter driver. It intercepts every file system operation — open, read, write, create, delete, rename — before Windows processes it.
You define which programs are authorized to access PHI files. For example:
File Filter: *patient*.db, *.hl7, C:\EHR\Records\*
Authorized Programs: C:\Program Files\EHR\ehr.exe, C:\Program Files\PACS\viewer.exe
Operations Allowed: Read, Write
All Other Programs: BLOCK and LOG
If an attacker runs a data exfiltration tool — even with valid credentials — FileSure blocks the file read operation. The tool never gets the data. The attempt gets logged with the user name, program path, machine name, and exact timestamp.
Your EHR application still works normally. Your PACS viewer still opens imaging files. But PowerShell scripts, custom malware, and unauthorized file transfer tools get nothing.
The HIPAA Audit Trail You Actually Need
The HIPAA Security Rule requires you to “record and examine activity” involving ePHI. Most organizations rely on Windows Event Logs, which produce massive volumes of generic events that roll over quickly under PCI-DSS-style audit-everything requirements.
FileSure logs only file operations on the files you specify. Every log entry includes:
- User name and machine name
- Program that attempted access
- File name and full path
- Operation type (read, write, create, delete)
- Exact timestamp
- Whether the operation was allowed or blocked
The logs are encrypted, tamper-resistant, and stored separately from the files they protect. When your compliance team or an OCR auditor asks “who accessed this patient record?”, you have the answer — immediately, specifically, and with evidence that can’t be altered after the fact.
Start Your Free Trial
FileSure installs on legacy and modern Windows systems — including the medical devices, imaging systems, and laboratory equipment running older Windows versions that modern security tools won’t touch.
Your PHI is protected at the file system level, where the actual damage happens. Start your free 21-day trial at bystorm.com and see how kernel-level file access control works in your environment.
Source: Healthtech firm Xsolis suffers data breach impacting 1.4 million people
Category: Data Loss Prevention
Tags: healthcare breach, phi exfiltration, hipaa compliance, phishing attack, file system security, kernel filter driver, unauthorized file access
