On February 6, 2026, a breach report for TriZetto Provider Solutions (“TriZetto”) was posted on the Office for Civil Rights (OCR) Breach Portal. TriZetto provides billing-related services to healthcare providers. According to the report, more than 3.4 million individuals were affected, making it one of the largest breaches reported in 2026 to date.
In December 2025, TriZetto notified covered entities that their patient information may have been impacted and offered to make breach notifications on their behalf. Many community health centers received these notices because TriZetto serves as a subcontractor to OCHIN, which operates a shared instance of the Epic electronic health record system (EHR) for its members which include Federally Qualified Health Centers (FQHCs), rural health clinics, and behavioral health providers. According to OCHIN, approximately 9% of patients across its network were impacted by the TriZetto breach.
While HIPAA covered entities are ultimately responsible for ensuring breach notification requirements are met, they may delegate the responsibility to a business associate - or in this instance, a downstream or secondary business associate such as TriZetto (see OCR’s Change Healthcare Cybersecurity Incident Frequently Asked Questions). Many covered entities, including community health centers, accepted TriZetto’s offer to notify affected individuals, OCR and the media.
Some community health centers submitted separate reports to OCR about the TriZetto and many of those reports have been removed from the OCR Breach Portal. In addition, certain community health centers also reported as required under state data breach reporting laws.
OCR is required to investigate all breaches affecting 500 or more individuals. Such investigations may take several years to conclude. State attorneys general and consumer protection agencies may also initiate separate investigations.
While regulatory investigations and litigation may involve multiple parties, covered entities receiving data requests, demand letters or lawsuits related to the TriZetto breach should carefully assess their role and seek legal guidance in responding.
In December 2025, TriZetto notified covered entities that their patient information may have been impacted and offered to make breach notifications on their behalf. Many community health centers received these notices because TriZetto serves as a subcontractor to OCHIN, which operates a shared instance of the Epic electronic health record system (EHR) for its members which include Federally Qualified Health Centers (FQHCs), rural health clinics, and behavioral health providers. According to OCHIN, approximately 9% of patients across its network were impacted by the TriZetto breach.
While HIPAA covered entities are ultimately responsible for ensuring breach notification requirements are met, they may delegate the responsibility to a business associate - or in this instance, a downstream or secondary business associate such as TriZetto (see OCR’s Change Healthcare Cybersecurity Incident Frequently Asked Questions). Many covered entities, including community health centers, accepted TriZetto’s offer to notify affected individuals, OCR and the media.
Some community health centers submitted separate reports to OCR about the TriZetto and many of those reports have been removed from the OCR Breach Portal. In addition, certain community health centers also reported as required under state data breach reporting laws.
OCR is required to investigate all breaches affecting 500 or more individuals. Such investigations may take several years to conclude. State attorneys general and consumer protection agencies may also initiate separate investigations.
While regulatory investigations and litigation may involve multiple parties, covered entities receiving data requests, demand letters or lawsuits related to the TriZetto breach should carefully assess their role and seek legal guidance in responding.
For more information, please contact:
Dianne Pledgie
dianne.pledgie@powerslaw.com
Want to know more?
