1.4M Hit in Xsolis Phishing, New Ransomware 'Pear' Targets Mortgage Lender

For cybersecurity teams, these two incidents are a double-barreled warning: credential-focused phishing still effortlessly breaches healthcare orgs, and extortion-focused ransomware gangs like the freshly surfaced 'Pear' are diversifying into financial services. The 1.4M-record Xsolis haul and the mortgage application cache from Optimum First expose the high-value data that defenders must now prioritize in threat modeling and incident response planning.

On June 22, 2026, class action law firm Edelson Lechtzin LLP announced dual investigations into two separate data breaches, one targeting healthcare AI company Xsolis, Inc. and the other impacting mortgage lender Optimum First Mortgage. These announcements, while promotional in nature, reveal specific details about attack vectors, compromised data types, and a named ransomware group, providing a snapshot of the ongoing cybersecurity crisis in sectors handling highly sensitive personal information.

“

On June 22, 2026, class action law firm Edelson Lechtzin LLP announced dual investigations into two separate data breaches, one targeting healthcare AI company Xsolis, Inc.

The Xsolis breach, according to the firm's press release, originated from a targeted phishing attack on January 20, 2026, with discovery occurring two days later on January 22. At least 1.4 million individuals are estimated to be affected, with potentially exposed data including names, addresses, dates of birth, health insurance information, Social Security numbers, and medical treatment details. This represents a classic healthcare data compromise: phishing remains the most common initial access vector in the sector, often leading to credential theft and lateral movement within networks. Xsolis, a company that uses AI to streamline care management for hospitals and insurers, sits at the intersection of technology and protected health information (PHI), making it a high-value target for financially motivated threat actors who can resell medical records on dark web forums, where such records command premium prices due to their longevity and richness.

The Optimum First Mortgage incident, by contrast, involves a ransomware group called “Pear” that claimed responsibility on June 19, 2026. The group reportedly threatened to leak sensitive data unless the mortgage lender paid a ransom. The compromised data set, drawn from mortgage applications, is equally alarming: income details, employment history, tax records, Social Security numbers, and bank account information. Financial services firms, particularly lenders, are prized targets for extortion because the data they hold can be used for immediate financial fraud, tax refund theft, and identity takeover. The emergence of a named group like Pear adds a fresh threat intelligence marker for security researchers, though the group’s origins, TTPs, and prior activities remain unverified beyond the law firm’s claim.

Both incidents highlight a broader trend: the rapid mobilization of class action law firms following breach notifications. Edelson Lechtzin’s simultaneous announcements show a well-oiled machine, offering free case evaluations and urging victims to preserve evidence and enroll in credit monitoring. This litigious aftermath is now an expected second phase of any major data breach, with firms competing to sign up affected individuals. For cybersecurity practitioners, this legal dimension adds a layer of post-incident pressure: organizations must not only contain and remediate technical damage but also brace for regulatory scrutiny and class action exposure.

From a threat landscape perspective, the two incidents illustrate the dual-pronged assault employed by modern cybercriminals. Phishing, as seen in the Xsolis case, exploits human error to gain entry and exfiltrate data silently, often remaining undetected for days. Ransomware groups like Pear increasingly adopt a “double extortion” model, stealing data before encrypting systems and then threatening public release. That Pear specifically claimed a ransomware attack on a mortgage lender suggests a targeted approach, possibly leveraging initial access brokers or exploiting unpatched vulnerabilities, though technical details are absent from the investigation announcement.

The sensitivity of the data involved in both breaches cannot be overstated. Medical records from Xsolis are covered by HIPAA regulations, and the exposure of SSNs and health insurance information could lead to medical identity theft, where fraudsters obtain treatment or prescription drugs using stolen identities. For Optimum First Mortgage customers, the leak of tax returns and bank statements opens doors to loan fraud, Social Security scams, and draining of accounts. The law firm’s investigation emphasizes the increased risk of identity theft and fraud, a foreseeable consequence that will likely form the basis of the class action claims.

Looking ahead, these investigations will likely prompt a review of security practices at both companies. Xsolis’s containment on January 22 suggests an active incident response, but questions remain about the dwell time between January 20 and 22, and whether the attackers accessed or exfiltrated data beyond what is disclosed. Optimum First Mortgage’s silence (the press release only relays the law firm’s narrative) leaves open questions about whether the company paid the ransom, notified law enforcement, or has negotiated with Pear. As more details emerge through mandatory breach notifications to attorneys general or HHS’s Office for Civil Rights, the full scope may become clearer.