AdaptHealth Breach: How Attackers Use Stolen Login Sessions to Act Like Legitimate Users

Published
Written by:
Vishwa Pandagle
Vishwa Pandagle
Cybersecurity Staff Editor

Question: A recent healthcare breach disclosure involving AdaptHealth said attackers used social engineering to compromise an authenticated user session. For victims and readers unfamiliar with this, what does a compromised user session typically involve? What warning signs might employees notice? What can reduce the chances of session hijacking?


Jason Soroko, Senior Fellow at Sectigo

A compromised user session occurs when an attacker steals the temporary token granting access to a system. 

Attackers use social engineering to direct victims to a proxy website that mimics an authentic login portal. 

During a proxy attack, hackers set up a fraudulent checkpoint to intercept this pass exactly when the system issues it to you. 

The attacker then uses the stolen pass to enter secure corporate networks while bypassing passwords and multi-factor authentication. 

This adversary-in-the-middle technique grants the attacker access to cloud applications without needing the password. 

Employees might notice warning signs such as: 

Organizations must adopt advanced controls to prevent session hijacking. Implementing phishing-resistant authentication methods utilizing hardware security keys binds the login process to a specific device and domain. 

Administrators can configure conditional access policies to monitor behavior and revoke access when anomalies arise. Enforcing session timeouts limits the window of opportunity for an attacker holding a stolen token. 

Training helps employees identify discrepancies in URLs and interface designs that characterize proxy attacks.


Shane Barney, Chief Information Security Officer at Keeper Security

The AdaptHealth incident reflects a pattern that identity and access teams are seeing with increasing frequency: the attacker did not need to break in

They inherited access that had already been granted, through a third-party contractor whose session was compromised via social engineering. 

From that point forward, the affected systems had no reason to question what they were seeing. The session looked legitimate because it was.

This is precisely why identity governance matters as much as perimeter defense. When third-party access is persistent rather than time-limited, and when session behavior goes unmonitored, organizations lose the ability to distinguish between a legitimate user and an attacker operating inside a trusted session. 

Security teams with the right monitoring in place will recognize the signals

The takeaway from incidents like this is consistent: contractors and vendors should operate under zero standing privilege

Multi-factor authentication is necessary but not sufficient on its own. Without session-level visibility and strict identity governance across every user, including third parties, organizations will continue to find out about compromised access only after the damage is done.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: