Healthcare Sector Data Breach Disclosures Expand Victim Counts Across Multiple Incidents
Multiple healthcare-related breach disclosures expanded significantly, led by TriZetto Provider Solutions reporting to regulators that 3,433,965 people were affected after an attacker used a web portal to access historical eligibility reports containing sensitive data (including SSNs and insurance information). Separately, Conduent Business Services told Wisconsin regulators that its incident now impacts “25 million-plus” people nationwide; the Xerox spinoff had previously reported ~15.5 million affected in Texas, prompting an investigation by Texas AG Ken Paxton, while reporting noted the event is still smaller than the largest U.S. health-data breach on record.
Reporting on the Change Healthcare ransomware incident reiterated that UnitedHealth estimated roughly 190 million people were affected, with congressional testimony attributing initial access to a Citrix remote access portal lacking MFA, followed by data theft and ransomware deployment; reporting also cited a $22 million ransom payment. In the Asia-Pacific region, a separate healthcare privacy incident involving New Zealand’s ManageMyHealth patient portal was cited as exposing data from ~120,000 people, and was used to underscore governance, access control, and third-party oversight gaps as recurring drivers of healthcare-sector exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
TriZetto updated breach total to 3.43 million people
TriZetto updated its report to Oregon's Department of Justice to state that 3,433,965 people were affected and filed breach notifications in multiple states. Some private medical providers and several states also publicly confirmed victim counts.
Conduent reported at least 25 million people affected
In a filing to Wisconsin regulators, Conduent said the breach affects at least 25 million people nationwide, a major increase from earlier state-level disclosures. Texas and Montana officials were also investigating impacts tied to Blue Cross Blue Shield members.
Oregon counties warned residents about TriZetto impact
County governments in Oregon previously warned that the TriZetto incident affected hundreds of thousands of residents whose data was exposed through the compromised portal.
ManageMyHealth breach exposed about 120,000 people
A breach of New Zealand's ManageMyHealth patient portal exposed sensitive information for roughly 120,000 people, making it one of the country's most significant healthcare privacy incidents.
TriZetto began notifying customers about the breach
TriZetto began notifying customers in December after investigating the incident with law enforcement and Mandiant.
TriZetto discovered its 2024 breach
TriZetto discovered the breach in October 2024, according to later reporting cited in the update on the incident.
Conduent publicly disclosed the breach in an SEC filing
Conduent first publicly disclosed the hacking incident in an SEC filing in April 2025, before later state notifications expanded the known scale of impact.
Conduent discovered the hacking incident
Conduent said it discovered the breach on 2025-01-13 and later determined the compromise had been ongoing since October 2024.
TriZetto attacker began accessing historical eligibility reports
At TriZetto Provider Solutions, malicious activity began in November 2024 when an attacker accessed historical eligibility reports through a web portal, exposing data later described as including Social Security numbers, addresses, and health insurance numbers.
Conduent systems were accessed without authorization
Conduent said attackers had unauthorized access to its servers from 2024-10-21 through 2025-01-13, potentially exposing sensitive personal and health-related data affecting patients nationwide.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Health insurance tech provider TriZetto says more than 3 million impacted by 2024 breach | The Record from Recorded Future News
therecord.media
Open sourceConduent Says Hack Now Affects at Least 25 Million Patients
govinfosecurity.com
Open sourceMassive federal data breach may be the biggest hack in US history - Morning Overview
morningoverview.com
Open sourceDigital Risk Is Now a Clinical Challenge - BankInfoSecurity
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Third-Party Healthcare and Benefits Service Provider Breaches Expand to Millions of Victims
Health insurance technology provider **TriZetto Provider Solutions** (a Cognizant subsidiary) updated breach notifications indicating the impact of its **November 2024** intrusion has grown to **more than 3.4 million** affected individuals. Disclosures to state regulators and downstream notifications from county governments and healthcare providers indicate theft of sensitive personal data including **addresses, Social Security numbers, and health insurance identifiers**, with some jurisdictions reporting hundreds of thousands of impacted residents. Separately, the **Conduent** incident has expanded dramatically in public filings, with reported totals rising from roughly **10.5 million** to **more than 25 million** affected individuals across the US, including a major increase in **Texas** (reported at **15.4 million**) while **Oregon** remains around **10.5 million**. Reporting indicates attackers maintained access for roughly **three months** and exfiltrated about **8 TB** of data, underscoring the systemic risk posed by large, behind-the-scenes vendors that support **Medicaid/SNAP and other state benefit programs**, healthcare-related processing, and major employer services—creating a wide “blast radius” even for individuals unfamiliar with the vendor name.
Mar 21, 2026
Large US Healthcare Data Breaches Impacting Millions of Patients
Multiple healthcare-sector data breaches were disclosed with significant exposure of **protected health information (PHI)**. TriZetto Provider Solutions (TPS), an insurance verification provider, reported a compromise that began in **November 2024** and was not detected until nearly a year later; the threat was reportedly eradicated on **Oct. 2, 2025**. Notifications to affected healthcare provider customers across several states continued into late 2025 and early 2026, with one Oregon advisory estimating exposure affecting **more than 700,000 people**; impacted providers stated there was no current evidence of misuse and that **financial details were not stolen**. Separately, Healthcare Interactive (*HCIactive*), an AI-powered insurance enrollment and benefits administration vendor, confirmed that an intrusion and data exfiltration tied to activity in mid-2025 ultimately affected **3,056,950 individuals**, after earlier placeholder reporting while scope was still being determined; reported unauthorized access windows vary from **July 8–12, 2025** to a broader **June 17–July 22, 2025**. Another incident involved AI care-coordination platform *Lena Health*, where a threat actor claimed exposure of patient data (including references to a **Twilio call recording database**) and alleged that **2,134 patients’ PHI** was stored in an unencrypted export in a public-facing **AWS S3 bucket**, with follow-on reporting indicating exploitation after a publicly disclosed vulnerability and an available patch that was not applied in time.
Mar 21, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026