RXNT

Between March 1 and March 3, 2026, an unauthorized actor accessed RXNT's healthcare software platform and exfiltrated patient data. RXNT provides electronic health records and e-prescribing software to healthcare providers across the United States—including the Office of the Attending Physician, which manages care for members of Congress, the Supreme Court, and Capitol staff.

Names. Home addresses. Dates of birth. Prescription information. Physician names. Pharmacy details. For members of Congress, this isn't just health data—it's a profile of their medical conditions, the medications they take, and where they fill prescriptions.

The Office of the Attending Physician confirmed that broader medical records, Social Security numbers, insurance information, and financial data were not affected. But prescription data alone reveals conditions that lawmakers may not want public: antidepressants, blood pressure medications, treatments for chronic conditions. Information that could be leveraged for blackmail, influence operations, or targeted attacks.

Members of Congress. Supreme Court justices. Capitol staff. The people who write laws, interpret the Constitution, and run legislative operations. Their prescription histories are now in unknown hands.

Foreign intelligence services pay attention to this kind of data. A lawmaker's health condition could influence committee assignments, reelection prospects, or legislative positions. Combined with home addresses and dates of birth, this becomes targeting data for social engineering, physical surveillance, or coercion attempts.

Using a specialized healthcare software vendor. RXNT provides EHR, e-prescribing, and practice management tools to healthcare providers nationwide. The Office of the Attending Physician chose them because they handle HIPAA-compliant prescription transmission to pharmacies—exactly the kind of sensitive workflow you'd want a dedicated vendor to manage.

Third-party healthcare software is supposed to reduce risk. Someone else handles the compliance burden, maintains the security controls, manages the infrastructure. Until that vendor becomes the attack surface.

The breach occurred March 1-3. RXNT took until April 17 to complete their data review. Then they waited until day 60 of HIPAA's notification window—May 1—to inform affected covered entities. Attending Physician Brian Monahan didn't notify affected lawmakers until the week of May 18.

Two and a half months. That's how long prescription data for members of Congress sat compromised before the people affected learned about it. RXNT knew on March 3 that data had been exfiltrated. The question is whether they knew, on March 3, whose data was in the blast radius—or whether that took another six weeks to figure out.

Nobody knows who did this. Domestic or foreign actor—undisclosed. Where the data ended up—unknown. RXNT serves multiple healthcare providers beyond the OAP, so the total number of affected individuals remains unclear. Notification letters went out May 1, but providers had until May 15 to register for breach support.

Capitol Hill is now demanding answers: What data was accessed? How many individuals were affected? Why did notification take so long? These are questions RXNT should have been able to answer on March 4—not questions legislators are still asking in late May.