Delayed patient notifications following healthcare data breaches at providers and vendors
Multiple healthcare organizations and vendors reported delayed patient notifications after discovering unauthorized access to protected health information (PHI), in some cases more than a year after the underlying compromise. In Colorado, Alpine Ear, Nose, and Throat (Alpine ENT) notified 65,648 individuals that an attacker accessed and exfiltrated files containing PHI in an incident identified on Nov. 19, 2024; the BianLian ransomware group later claimed responsibility and posted the organization to its leak site. Exposed data was described as highly sensitive, including medical information and, for some individuals, financial account data and payment card details (including CVC/expiration) and Social Security numbers; Alpine ENT reported no confirmed identity theft at the time of notification and offered credit monitoring.
Separately, Bayada Home Health Care disclosed exposure risk tied to a third-party vendor (Doctor Alliance) after Doctor Alliance reported unauthorized network access during Oct.–Nov. 2025, potentially affecting Home Health Certification and Plan of Care forms containing patient identifiers and clinical/insurance details (and SSNs for a subset). Bayada said it discontinued using Doctor Alliance and reported the matter to regulators. In another vendor-related incident, TriZetto Provider Solutions (Cognizant)—an insurance verification provider—suffered a cyberattack impacting PHI across multiple states; Oregon providers began notifying additional patients after the breach was reported as occurring in Nov. 2024 but not discovered until Oct. 2, 2025, with no financial data reportedly compromised and no evidence of misuse so far; the incident has prompted class-action lawsuits, engagement of Mandiant, and law enforcement notification.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
13 events from the most recent confirmed update back to the earliest known activity.
Marion County Public Health reports insider overaccess incident
Marion County Public Health Department in Indiana disclosed that an employee accessed more patient information than necessary, affecting 792 clients. The department said it found no evidence of misuse and responded with additional HIPAA training and stronger technical safeguards.
Bayada discloses Doctor Alliance third-party breach
Bayada Home Health Care disclosed that a breach at vendor Doctor Alliance may have exposed extensive medical, insurance, and in some cases Social Security information. Bayada said it stopped using the vendor and reported the incident to state attorneys general and HHS OCR.
Oregon providers notify patients tied to TriZetto breach
Deschutes County Health Services, Best Care, and La Pine Community Health Center sent breach notifications to thousands of Oregonians affected by the TriZetto incident.
Community Health Northwest Florida begins notifying patients
Community Health Northwest Florida started notifying affected individuals on January 26, 2026 after an extended review to determine whose data was impacted.
Alpine ENT, The Phia Group, and CHNW Florida notify affected individuals
In January 2026, Alpine ENT, The Phia Group, and Community Health Northwest Florida began notifying patients or other affected individuals about their 2024 incidents and offered credit monitoring or identity protection services.
Doctor Alliance suffers unauthorized network access windows
Doctor Alliance reported that an unauthorized party accessed its network during two separate periods in late 2025, creating possible exposure of patient forms and related protected health information handled for clients such as Bayada.
TriZetto discovers the 2024 breach
TriZetto Provider Solutions discovered the breach on October 2, 2025, indicating a lengthy gap between the intrusion and detection. Cognizant later engaged Mandiant and notified law enforcement.
Community Health Northwest Florida identifies unauthorized access
Community Health Northwest Florida tied unauthorized access to patient files to suspicious activity identified on December 24, 2024.
BianLian claims Alpine ENT attack
The BianLian ransomware group claimed responsibility for the Alpine ENT incident and posted the victim on its leak site in early December 2024.
Alpine ENT identifies data exfiltration incident
Alpine Ear, Nose, and Throat identified a security incident on November 19, 2024 in which an unauthorized party accessed and exfiltrated patient files.
TriZetto breach reportedly occurs in November 2024
TriZetto Provider Solutions said the underlying breach occurred in November 2024, exposing protected health information and other personal data of patients across multiple states.
The Phia Group detects the intrusion
The Phia Group detected the network intrusion on July 9, 2024 and later began assessing what data may have been acquired.
The Phia Group network intrusion occurs
The Phia Group said unauthorized access to its network occurred between July 8 and July 9, 2024, potentially exposing sensitive personal and health information.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Patients Learn Their Health Data Was Compromised More Than a Year Ago
hipaajournal.com
Open sourceBayada Home Health Care Affected by Doctor Alliance Data Breach
hipaajournal.com
Open sourceTriZetto data breach affects thousands more Oregonians | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Large US Healthcare Data Breaches Impacting Millions of Patients
Multiple healthcare-sector data breaches were disclosed with significant exposure of **protected health information (PHI)**. TriZetto Provider Solutions (TPS), an insurance verification provider, reported a compromise that began in **November 2024** and was not detected until nearly a year later; the threat was reportedly eradicated on **Oct. 2, 2025**. Notifications to affected healthcare provider customers across several states continued into late 2025 and early 2026, with one Oregon advisory estimating exposure affecting **more than 700,000 people**; impacted providers stated there was no current evidence of misuse and that **financial details were not stolen**. Separately, Healthcare Interactive (*HCIactive*), an AI-powered insurance enrollment and benefits administration vendor, confirmed that an intrusion and data exfiltration tied to activity in mid-2025 ultimately affected **3,056,950 individuals**, after earlier placeholder reporting while scope was still being determined; reported unauthorized access windows vary from **July 8–12, 2025** to a broader **June 17–July 22, 2025**. Another incident involved AI care-coordination platform *Lena Health*, where a threat actor claimed exposure of patient data (including references to a **Twilio call recording database**) and alleged that **2,134 patients’ PHI** was stored in an unencrypted export in a public-facing **AWS S3 bucket**, with follow-on reporting indicating exploitation after a publicly disclosed vulnerability and an available patch that was not applied in time.
Mar 21, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026
Healthcare Data Breaches and Patient Record Exposure at Providers and Vendors
Multiple healthcare entities reported **unauthorized access and patient data exposure**, with incidents spanning direct provider compromises and third-party vendor breaches. **Insight Hospital and Medical Center (Chicago)** disclosed suspicious activity in its IT environment, with investigators confirming **unauthorized network access from Aug 22 to Sep 11, 2025**; the organization said the review is ongoing but potentially impacted data includes **names, DOB, SSNs, passport numbers, financial account data, treatment information, and insurance details**. Two extortion groups publicly claimed responsibility: **LockBit** alleged theft of ~`200 GB` and **Termite** claimed `360 GB`, stating it leaked data in late February 2026. In France, attackers stole about **15.8 million administrative files** after breaching health-ministry software supplier **Cegedim Santé**, impacting its *MonLogicielMedical (MLM)* product used by thousands of doctors; the stolen data reportedly included **identity and contact details**, and in a smaller subset (~**165,000** files) **free-text doctors’ notes** that in limited cases contained sensitive medical-history details. Separately, **OCAT, LLC d/b/a Evoke Wellness at Hilliard** updated a breach notification describing **unauthorized network activity** and potential access to patient information; reporting also tied the matter to an **insider misuse** investigation in which a former employee allegedly accessed and sold patient data, though public filings contained **inconsistent timelines** about when the underlying incident occurred and when it was discovered.
Mar 25, 2026