Updates to two business associate breaches reveal that millions of patients have been impacted by third-part breaches, with Healthcare Interactive’s breach affecting 3 million patients and TriZetto Provider Solutions’s breach reportedly affecting another 700,000 patients.
Healthcare Interactive
Healthcare Interactive (“HCIactive”) is a Maryland-based provider of AI-powered software solutions for insurance enrollment and benefits administration. In June 2025, they experienced a data breach that was initially reported to HHS with a “placeholder” report of 501 patients affected.
The hacking incident exposed many types of personal and protected health information: name, address, date of birth, Social Security number, phone number, and email address; health insurance enrollment data (such as health plans/policies, insurance companies, member/group ID numbers); medical data (such as medical record numbers, doctors, diagnoses, prescriptions, lab results, images, care, and treatment); and health insurance claims data, such as claim numbers, account numbers, explanation of benefits, and billing codes.
In a December 2025 report to the Maine Attorney General’s Office, HCIactive reported that 87,565 people were affected.
One month later, however, they notified the Oregon Attorney General that 3,056,950 people were affected. As The HIPAA Journal reported, that number made it the 5th largest breach of 2025.
TriZetto Provider Solutions
TriZetto Provider Solutions (TPS) provides revenue cycle management services to healthcare providers. In November 2024, threat actors gained access and began accessing historical eligibility reports stored on the TPS system. The affected reports contain protected health information of clients’ patients. The breach was discovered and contained in early October 2025. TPS’s clients were notified in December and January and began notifying their patients. In some cases, TPS made the patient notifications for the clients.
Although some clients have publicly disclosed the breach, most have not disclosed the number affected. One client, Deschutes County Health Services, noted, however, “TPS reports that the threat was eliminated on Oct. 2, 2025, and may have exposed the PHI of more than 700,000 people.”
The breach has resulted in lawsuits against TPS’s parent company, Cognizant.
Numerous sites, citing Deschutes’ statement, have reported that TPS said more than 700,000 may have been affected, but there is no public confirmation of that claim from TPS or Cognizant.
HCIactive and TPS are just two of many vendors in the healthcare space that experienced breaches in the healthcare sector in 2025. And while most vendors may survive a costly breach, others may not fare as well.
