Large US Healthcare Data Breaches Impacting Millions of Patients
Multiple healthcare-sector data breaches were disclosed with significant exposure of protected health information (PHI). TriZetto Provider Solutions (TPS), an insurance verification provider, reported a compromise that began in November 2024 and was not detected until nearly a year later; the threat was reportedly eradicated on Oct. 2, 2025. Notifications to affected healthcare provider customers across several states continued into late 2025 and early 2026, with one Oregon advisory estimating exposure affecting more than 700,000 people; impacted providers stated there was no current evidence of misuse and that financial details were not stolen.
Separately, Healthcare Interactive (HCIactive), an AI-powered insurance enrollment and benefits administration vendor, confirmed that an intrusion and data exfiltration tied to activity in mid-2025 ultimately affected 3,056,950 individuals, after earlier placeholder reporting while scope was still being determined; reported unauthorized access windows vary from July 8–12, 2025 to a broader June 17–July 22, 2025. Another incident involved AI care-coordination platform Lena Health, where a threat actor claimed exposure of patient data (including references to a Twilio call recording database) and alleged that 2,134 patients’ PHI was stored in an unencrypted export in a public-facing AWS S3 bucket, with follow-on reporting indicating exploitation after a publicly disclosed vulnerability and an available patch that was not applied in time.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Oregon providers prepare additional patient notices for TriZetto incident
By late January 2026, Oregon healthcare providers said they were preparing breach notification letters tied to the TriZetto incident, including about 1,300 patients at Deschutes County Health Services, 1,650 at Best Care, and 1,200 at La Pine Community Health Center. The providers said they had seen no evidence of misuse and that no financial data was stolen.
FulcrumSec says it contacted Lena Health with proof of breach
The threat actor told DataBreaches it contacted Lena Health on January 10, 2026 and initially received acknowledgment that proof files had been received. The actor said communications later stopped.
Healthcare Interactive reports 3,056,950 affected to Oregon
Oregon was notified on January 7, 2026 that Healthcare Interactive's 2025 security incident affected 3,056,950 individuals, far exceeding the initial placeholder report of 501. The compromised data included personal identifiers, insurance and billing information, and medical data such as diagnoses, prescriptions, lab results, and images.
Lena Health allegedly breached via exposed S3 bucket and Twilio data
A hacking-forum post attributed to FulcrumSec claimed Lena Health was breached in December 2025 through exploitation of an unpatched vulnerability, exposing PHI in a public-facing S3 bucket and Twilio call-recording data. The allegedly exposed information included patient identities, medical details, discharge documents, call recordings and transcripts, and possibly credentials or API keys.
Oregon providers are notified of the TriZetto breach
Deschutes County Health Services, Best Care, and La Pine Community Health Center said they were informed in early December 2025 that the TriZetto incident may have exposed patient PHI. Combined, the three providers said more than 700,000 people may have been affected.
Lena Health allegedly remains unpatched after December vulnerability disclosure
A major vulnerability that FulcrumSec said it later exploited against Lena Health was disclosed in early December 2025 and had a patch available. According to the actor, Lena Health had not applied the patch when it was attacked later that month.
TriZetto detects suspicious portal activity and contains incident
TriZetto Provider Solutions detected suspicious activity in a customer web portal on October 2, 2025 and said the threat was eliminated the same day. Cognizant engaged Mandiant and notified law enforcement, later stating the incident was not ransomware-related.
Healthcare Interactive network intrusion exposes customer data
Healthcare Interactive reported unauthorized access and file exfiltration affecting its systems in mid-2025. Confirmed unauthorized access occurred between July 8 and July 12, 2025, though one notice suggested a broader window from June 17 to July 22, 2025.
TriZetto intrusion begins with unauthorized access to provider systems
Attackers gained access to TriZetto Provider Solutions' environment in November 2024, potentially exposing protected health information and other sensitive data tied to multiple healthcare providers and policyholders.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Thousands more learn their health info stolen from TriZetto • The Register
go.theregister.com
Open sourceHealthcare Interactive: More Than 3 Million Individuals Affected by July 2025 Security Incident
hipaajournal.com
Open sourceAI “digital helper” Lena Health breach exposed some Houston Methodist patients’ medical info - DataBreaches.Net
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Healthcare Data Breaches Expose Patient Information
Several healthcare organizations in the United States have reported significant data breaches resulting in the exposure of protected health information (PHI) for tens of thousands of patients. TriZetto Provider Solutions, a revenue management service provider, discovered unauthorized access to its web portal dating back to November 2024, with attackers accessing historical eligibility transaction reports containing sensitive patient data such as names, addresses, Social Security numbers, and health insurance details. The breach was detected in October 2025, after which immediate remediation steps were taken, including engaging Mandiant for investigation and securing the affected systems. Other incidents include breaches at Morton Drug Company in Wisconsin, Physicians to Children & Adolescents in Kentucky, the Center for Urologic Care of Berks County in Pennsylvania, North Atlantic States Carpenters Health Benefits Fund in Massachusetts, and Millcreek Pediatrics in Delaware. These breaches involved unauthorized network access and resulted in the exposure of PHI, including names, birth dates, medical record numbers, prescription information, and, in some cases, Social Security numbers. Affected organizations have notified impacted individuals and are offering credit monitoring services where appropriate, while also implementing enhanced security measures to prevent future incidents.
Mar 21, 2026
Delayed patient notifications following healthcare data breaches at providers and vendors
Multiple healthcare organizations and vendors reported **delayed patient notifications** after discovering unauthorized access to protected health information (PHI), in some cases more than a year after the underlying compromise. In Colorado, **Alpine Ear, Nose, and Throat (Alpine ENT)** notified **65,648** individuals that an attacker accessed and exfiltrated files containing PHI in an incident identified on **Nov. 19, 2024**; the **BianLian** ransomware group later claimed responsibility and posted the organization to its leak site. Exposed data was described as highly sensitive, including medical information and, for some individuals, **financial account data and payment card details** (including CVC/expiration) and **Social Security numbers**; Alpine ENT reported no confirmed identity theft at the time of notification and offered credit monitoring. Separately, **Bayada Home Health Care** disclosed exposure risk tied to a **third-party vendor (Doctor Alliance)** after Doctor Alliance reported unauthorized network access during **Oct.–Nov. 2025**, potentially affecting Home Health Certification and Plan of Care forms containing patient identifiers and clinical/insurance details (and **SSNs for a subset**). Bayada said it discontinued using Doctor Alliance and reported the matter to regulators. In another vendor-related incident, **TriZetto Provider Solutions (Cognizant)**—an insurance verification provider—suffered a cyberattack impacting PHI across multiple states; Oregon providers began notifying additional patients after the breach was reported as occurring in **Nov. 2024** but not discovered until **Oct. 2, 2025**, with no financial data reportedly compromised and no evidence of misuse so far; the incident has prompted **class-action lawsuits**, engagement of **Mandiant**, and law enforcement notification.
Mar 21, 2026
TriZetto Provider Solutions Data Exfiltration Affecting Healthcare Client Insurance Data
**TriZetto Provider Solutions** (a Cognizant business unit providing revenue cycle management and claims clearinghouse services) is notifying more than **3.4 million individuals** after investigators determined threat actors accessed and exfiltrated healthcare clients’ **insurance-related data**. The activity reportedly began in **November 2024** but was not detected until **October 2025**, indicating a prolonged period of unauthorized access before discovery. The incident was reported to the U.S. Department of Health and Human Services via the **HIPAA Breach Reporting Tool** as impacting approximately **3.43 million** people, while TriZetto has not publicly specified how many healthcare customers were affected. Multiple healthcare organizations have publicly stated they were impacted and have issued their own patient notifications, underscoring downstream exposure risk for providers relying on TriZetto’s billing and claims processing services.
Mar 21, 2026