Large US Healthcare Data Breaches Impacting Millions of Patients
Multiple healthcare-sector data breaches were disclosed with significant exposure of protected health information (PHI). TriZetto Provider Solutions (TPS), an insurance verification provider, reported a compromise that began in November 2024 and was not detected until nearly a year later; the threat was reportedly eradicated on Oct. 2, 2025. Notifications to affected healthcare provider customers across several states continued into late 2025 and early 2026, with one Oregon advisory estimating exposure affecting more than 700,000 people; impacted providers stated there was no current evidence of misuse and that financial details were not stolen.
Separately, Healthcare Interactive (HCIactive), an AI-powered insurance enrollment and benefits administration vendor, confirmed that an intrusion and data exfiltration tied to activity in mid-2025 ultimately affected 3,056,950 individuals, after earlier placeholder reporting while scope was still being determined; reported unauthorized access windows vary from July 8–12, 2025 to a broader June 17–July 22, 2025. Another incident involved AI care-coordination platform Lena Health, where a threat actor claimed exposure of patient data (including references to a Twilio call recording database) and alleged that 2,134 patients’ PHI was stored in an unencrypted export in a public-facing AWS S3 bucket, with follow-on reporting indicating exploitation after a publicly disclosed vulnerability and an available patch that was not applied in time.
Timeline
Jan 30, 2026
Oregon providers prepare additional patient notices for TriZetto incident
By late January 2026, Oregon healthcare providers said they were preparing breach notification letters tied to the TriZetto incident, including about 1,300 patients at Deschutes County Health Services, 1,650 at Best Care, and 1,200 at La Pine Community Health Center. The providers said they had seen no evidence of misuse and that no financial data was stolen.
Jan 10, 2026
FulcrumSec says it contacted Lena Health with proof of breach
The threat actor told DataBreaches it contacted Lena Health on January 10, 2026 and initially received acknowledgment that proof files had been received. The actor said communications later stopped.
Jan 7, 2026
Healthcare Interactive reports 3,056,950 affected to Oregon
Oregon was notified on January 7, 2026 that Healthcare Interactive's 2025 security incident affected 3,056,950 individuals, far exceeding the initial placeholder report of 501. The compromised data included personal identifiers, insurance and billing information, and medical data such as diagnoses, prescriptions, lab results, and images.
Dec 15, 2025
Lena Health allegedly breached via exposed S3 bucket and Twilio data
A hacking-forum post attributed to FulcrumSec claimed Lena Health was breached in December 2025 through exploitation of an unpatched vulnerability, exposing PHI in a public-facing S3 bucket and Twilio call-recording data. The allegedly exposed information included patient identities, medical details, discharge documents, call recordings and transcripts, and possibly credentials or API keys.
Dec 1, 2025
Oregon providers are notified of the TriZetto breach
Deschutes County Health Services, Best Care, and La Pine Community Health Center said they were informed in early December 2025 that the TriZetto incident may have exposed patient PHI. Combined, the three providers said more than 700,000 people may have been affected.
Dec 1, 2025
Lena Health allegedly remains unpatched after December vulnerability disclosure
A major vulnerability that FulcrumSec said it later exploited against Lena Health was disclosed in early December 2025 and had a patch available. According to the actor, Lena Health had not applied the patch when it was attacked later that month.
Oct 2, 2025
TriZetto detects suspicious portal activity and contains incident
TriZetto Provider Solutions detected suspicious activity in a customer web portal on October 2, 2025 and said the threat was eliminated the same day. Cognizant engaged Mandiant and notified law enforcement, later stating the incident was not ransomware-related.
Jul 8, 2025
Healthcare Interactive network intrusion exposes customer data
Healthcare Interactive reported unauthorized access and file exfiltration affecting its systems in mid-2025. Confirmed unauthorized access occurred between July 8 and July 12, 2025, though one notice suggested a broader window from June 17 to July 22, 2025.
Nov 1, 2024
TriZetto intrusion begins with unauthorized access to provider systems
Attackers gained access to TriZetto Provider Solutions' environment in November 2024, potentially exposing protected health information and other sensitive data tied to multiple healthcare providers and policyholders.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Multiple Healthcare Data Breaches Expose Patient Information
Several healthcare organizations in the United States have reported significant data breaches resulting in the exposure of protected health information (PHI) for tens of thousands of patients. TriZetto Provider Solutions, a revenue management service provider, discovered unauthorized access to its web portal dating back to November 2024, with attackers accessing historical eligibility transaction reports containing sensitive patient data such as names, addresses, Social Security numbers, and health insurance details. The breach was detected in October 2025, after which immediate remediation steps were taken, including engaging Mandiant for investigation and securing the affected systems. Other incidents include breaches at Morton Drug Company in Wisconsin, Physicians to Children & Adolescents in Kentucky, the Center for Urologic Care of Berks County in Pennsylvania, North Atlantic States Carpenters Health Benefits Fund in Massachusetts, and Millcreek Pediatrics in Delaware. These breaches involved unauthorized network access and resulted in the exposure of PHI, including names, birth dates, medical record numbers, prescription information, and, in some cases, Social Security numbers. Affected organizations have notified impacted individuals and are offering credit monitoring services where appropriate, while also implementing enhanced security measures to prevent future incidents.
1 months ago
Delayed patient notifications following healthcare data breaches at providers and vendors
Multiple healthcare organizations and vendors reported **delayed patient notifications** after discovering unauthorized access to protected health information (PHI), in some cases more than a year after the underlying compromise. In Colorado, **Alpine Ear, Nose, and Throat (Alpine ENT)** notified **65,648** individuals that an attacker accessed and exfiltrated files containing PHI in an incident identified on **Nov. 19, 2024**; the **BianLian** ransomware group later claimed responsibility and posted the organization to its leak site. Exposed data was described as highly sensitive, including medical information and, for some individuals, **financial account data and payment card details** (including CVC/expiration) and **Social Security numbers**; Alpine ENT reported no confirmed identity theft at the time of notification and offered credit monitoring. Separately, **Bayada Home Health Care** disclosed exposure risk tied to a **third-party vendor (Doctor Alliance)** after Doctor Alliance reported unauthorized network access during **Oct.–Nov. 2025**, potentially affecting Home Health Certification and Plan of Care forms containing patient identifiers and clinical/insurance details (and **SSNs for a subset**). Bayada said it discontinued using Doctor Alliance and reported the matter to regulators. In another vendor-related incident, **TriZetto Provider Solutions (Cognizant)**—an insurance verification provider—suffered a cyberattack impacting PHI across multiple states; Oregon providers began notifying additional patients after the breach was reported as occurring in **Nov. 2024** but not discovered until **Oct. 2, 2025**, with no financial data reportedly compromised and no evidence of misuse so far; the incident has prompted **class-action lawsuits**, engagement of **Mandiant**, and law enforcement notification.
1 months ago
TriZetto Provider Solutions Data Exfiltration Affecting Healthcare Client Insurance Data
**TriZetto Provider Solutions** (a Cognizant business unit providing revenue cycle management and claims clearinghouse services) is notifying more than **3.4 million individuals** after investigators determined threat actors accessed and exfiltrated healthcare clients’ **insurance-related data**. The activity reportedly began in **November 2024** but was not detected until **October 2025**, indicating a prolonged period of unauthorized access before discovery. The incident was reported to the U.S. Department of Health and Human Services via the **HIPAA Breach Reporting Tool** as impacting approximately **3.43 million** people, while TriZetto has not publicly specified how many healthcare customers were affected. Multiple healthcare organizations have publicly stated they were impacted and have issued their own patient notifications, underscoring downstream exposure risk for providers relying on TriZetto’s billing and claims processing services.
1 months ago