The University of Hawai’i Cancer Center (UHCC) has confirmed that up to 1.24 million individuals may have been affected by its August 2025 ransomware attack. The HIPAA Journal previously reported on the incident in January 2026 (see below), when the attack and data breach were first announced; however, at the time, the file review was ongoing, and the number of affected individuals had yet to be announced.

UHCC explained that the notification delay was due to the volume of data impacted, the complexity of the encrypted data, and the age of the studies and records. In a report to the state legislature, UHCC provided additional information about the attack and data breach, confirming that the ransomware attack had no impact on patient care, clinical trials operations, its Basic Science and Prevention Division, and there was no unauthorized access to student records.

The forensic investigation determined that the threat actor accessed the UHCC Epidemiology Division’s research files, exfiltrated files, and encrypted data. The initial findings of the investigation found that a majority of the affected files related to its decades-long Multi Ethnic Cohort (DEC) Study, which mostly contained research data with no personal information about the study participants.

Further investigation determined that some of the files in the impacted data contained Social Security numbers and driver’s license numbers of individuals recruited for that study between 1993 and 1996. UHCC recruited more than 215,000 individuals from Hawai’i and Los Angeles, CA, for that study. UHCC began compiling a list of names and obtained mailing addresses for all potentially affected individuals and has now mailed 87,493 notification letters to the affected study participants. They have been offered 12 months of complimentary credit monitoring and identity theft protection services.

As the review of the impacted files continued, UHCC identified names and Hawaiʻi State driver’s license numbers in the impacted data. They had been collected in the year 2000 from the State Department of Transportation, plus voter registration information collected in the year 1998 from the City & County of Honolulu. At that time, Social Security numbers were commonly used as driver’s license numbers and voter registration numbers, and government departments freely provided those lists. The lists were used by its researchers to recruit study participants and for associated research purposes. UHCC also identified Social Security numbers and health-related information obtained for epidemiological studies of diet and cancer. Across these additional files, UHCC identified 1,153,527 potentially affected individuals, in addition to the 87,493 individuals who were notified by mail.

Under state law, if more than 200,000 individuals are affected by a data breach, if the cost of mailing notifications exceeds $100,000, or in cases where sufficient contact information is not held, electronic notifications are permitted. UHCC located email addresses for approximately 900,000 individuals out of the 1,153,527 potentially affected individuals, and has emailed notifications to those individuals. A substitute breach notice has been added to the UHCC website to serve as notice for the individuals who could not be emailed, and statewide media has been notified.

UHCC has established a dedicated call center for individuals to make contact for further information about the impacted data and to request credit monitoring services. The call center – (844) 443-0842 – is manned Monday to Friday, 8:30 a.m. to 9 p.m. Central Time (excluding holidays). The data review is not yet concluded; however, UHCC is confident that any further personal or protected health information that has yet to be identified will be minimal. Should further individuals be identified, they will be notified separately.

UHCC has confirmed that it has implemented “extensive cybersecurity and governance enhancements” in response to the ransomware attack and data breach and has shared information about those measures in its detailed breach notice. UHCC lists several technical measures that have been implemented or enhanced, and to improve information security oversight, a new Information Security Governance Council for Research has been established to coordinate with research-related cybersecurity, and a new Information Security Task Force has been established, which is responsible for updating policies, strengthening cyber roles and responsibilities, and recommending enterprise‑level controls and investments.

“This cyberattack requires a comprehensive, systemwide response. I have initiated a full review of information technology systems across all 10 campuses to ensure we are strengthening protections wherever needed,” said UH President Wendy Hensel. “We will take a holistic approach, identify areas requiring additional investment, and move forward with those improvements. Safeguarding the data entrusted to us is essential to our mission and our responsibility to the people of Hawaiʻi.”

January 15, 2026: University of Hawai’i Cancer Center Confirms Patient Data Stolen in Ransomware Attack

The University of Hawai’i Cancer Center has recently disclosed an August 2025 ransomware attack involving the acquisition of the sensitive data of study participants. University of Hawai’i Cancer Center, part of the University of Hawai’i (UH) System, is located in the Kakaʻako district of Honolulu and is the only National Cancer Institute-designated center in the state. According to the cancer center’s press release and breach reports to state attorneys general, unauthorized access to its computer network was discovered on or around August 31, 2025.

The affected servers were isolated, and an investigation was launched to determine the nature and scope of the unauthorized activity. University of Hawai’i Cancer Center confirmed that a ransomware group had breached its network, encrypted files, and exfiltrated research files containing patient information. The University of Hawai’i Cancer Center said its electronic medical record system was unaffected; however, files were obtained that contained patients’ protected health information.

The majority of the stolen files related to a single research project. The review of those files revealed that some contained the Social Security numbers of research participants dating back to the 1990s. The University of Hawai’i Cancer Center said that in the 1990s, Social Security numbers were used as patient identifiers; however, that practice has since been halted, and alternative identifiers are now used.

Due to the highly sensitive nature of the stolen data, UH made the difficult decision to engage with the threat actor. University of Hawai’i Cancer Center said it worked with third-party cybersecurity experts to obtain a decryption tool to recover the encrypted data, and paid a ransom to prevent the publication of the stolen data. Assurances have been received that all of the stolen data has been deleted.

Files unrelated to the research study are still being reviewed to determine if they contain any patient data. Notification letters have yet to be sent to the affected individuals, but they will be mailed once up-to-date contact information has been obtained.  The University of Hawai’i Cancer Center said the affected individuals will be offered complimentary credit monitoring and identity theft protection services.

Even though the ransom was paid, due to the extent of file encryption, it has taken some time to recover the encrypted files and restore the affected systems. Additional security measures have been implemented to strengthen security, including replacing its existing firewall with a new firewall with additional security controls and installing new endpoint protection software with 24/7 monitoring. The University of Hawai’i Cancer Center said third-party cybersecurity experts have assessed and validated the cancer center’s security controls.

The incident has been reported to regulators; however, since the file review has not yet concluded, the number of affected individuals has yet to be disclosed.

The post University of Hawai’i Cancer Center: 1.24 Million Individuals Affected by 2025 Ransomware Attack appeared first on The HIPAA Journal.

It has been more than four months since TriZetto Provider Solutions discovered unauthorized access to its IT environment, and it has now been confirmed that the protected health information of 3,433,965 individuals was exposed or compromised in the incident. The data breach has recently been added to the HHS’ Office for Civil Rights breach portal, suggesting the data breach investigation and data review have been completed. At more than 3.4 million affected individuals, it ranks as one of the largest healthcare data breaches of 2025.

January 26, 2026: Trizetto Data Breach Victim Count Swells

Based on previous estimates of the scale of the Trizetto data breach, more than 700,000 individuals were thought to have been affected. It is now clear that the data breach was significantly bigger. The Oregon Attorney General has recently been informed that the personal and protected health information of 3,433,965 individuals was exposed or compromised in the incident, plus a further 304 individuals in Trizetto’s capacity as a business associate of Columbia River Health.

Attorneys General in other U.S. states have also received breach notices, although few publicly disclose the number of state residents affected. Two states that do are Texas and South Carolina. The Texas Attorney General was informed that the personal and protected health information of 171,158 Texas residents was compromised in the incident, while South Carolina was informed that 3,562 individuals in the state were affected. Other states that have been notified but have not published the number of affected individuals include California, Massachusetts, New Hampshire, and Vermont. Based on the disclosures to the Oregon, Texas, and New Hampshire Attorneys General alone, the data breach is known to have affected more than 3.6 million individuals, making it one of the largest healthcare data breaches of 2025.

Trizetto has yet to confirm whether the review of the affected data has been completed, and there is currently no Trizetto data breach listed on the HHS’ Office for Civil Rights breach portal. It is not unusual for the number of affected individuals to be increased several times as a data breach investigation and data review progress. For instance, the massive data breach at Change Healthcare in 2024 was first reported as affecting 500 individuals. The total number of affected individuals was updated to 100 million, and the final estimate provided to regulators was 192,700,000 individuals.

While the Trizetto Provider Solutions data breach is unlikely to match the scale of the Change Healthcare data breach, it should be noted that Trizetto handles more than 4 billion payment, enrollment, and claims transactions each year in its capacity as a HIPAA business associate. The data breach could therefore be substantially higher than the 3.6 million individuals currently known to have been affected.

Notification letters have started to be mailed to the affected individuals. The HIPAA Journal has been contacted by individuals who have been confused after receiving a breach notice from Trizetto, as they had no direct dealings with the company. This is a common occurrence when data breaches occur at business associates of HIPAA-covered entities. One California resident claimed the letter she received did not state the name of the healthcare provider that provided Trizetto with her data, which made her question whether the notification letter could be a scam.

January 15, 2026: TriZetto Provider Solutions Issues Data Breach Notifications to HIPAA Covered Entities (Update)

TriZetto Provider Solutions, a Cognizant-owned provider of revenue management services to physicians, hospitals, and health systems, has started notifying certain healthcare clients about a recently identified cybersecurity incident.

On October 2, 2025, suspicious activity was identified within a web portal used by some of its healthcare provider customers to access TriZetto systems. Immediate action was taken to secure the web portal and mitigate the incident, and the cybersecurity firm Mandiant was engaged to investigate the activity, review the security of the web portal application, and ensure that the incident is fully remediated. TriZetto is satisfied that the threat actor has been eradicated from its system. No further unauthorized web portal activity has been detected since October 2, 2025.

While the cybersecurity incident was only recently detected, the unauthorized access has been ongoing for a considerable period of time. The forensic investigation determined that an unauthorized third party first started accessing historical eligibility transaction reports within the TriZetto system in November 2024, almost a year before the unauthorized access was detected. The reports within its storage system contained the protected health information of patients of certain healthcare provider clients.

Between October 2, 2025, and the end of November 2025, Trizetto reviewed the data within the compromised system to determine the types of data involved and the individuals affected. Information compromised in the incident includes the names of patients and primary insureds, in combination with some or all of the following: address, date of birth, Social Security number, health insurance member number (in some cases, Medicare beneficiary number), health insurer name, information about the primary insured or beneficiary, and other demographic health and health insurance information. TriZetto said no financial information was involved.

Notifications have been issued to the affected healthcare clients, who have been provided with a list of the affected individuals and a copy of the affected data. The HIPAA Breach Notification Rule requires notifications to be issued to the affected individuals within 60 days of a HIPAA-covered entity being notified about a data breach at a business associate. Assuming the affected healthcare providers comply with that HIPAA requirement, individual notifications for the affected individuals should be mailed within 60 days.

TriZetto has offered to handle the breach notifications on behalf of the affected clients, should they determine that breach notifications are required under HIPAA. TriZetto has also offered to notify the HHS’ Office for Civil Rights, state regulators, and media outlets on behalf of its covered entity clients, and will also cover the cost of complimentary credit monitoring, fraud consultation, and identity theft restoration services.

It is currently unclear how many of its healthcare provider clients have been affected. Trizetto informed one of the affected clients that the protected health information of more than 700,000 individuals was likely compromised in the attack.

A majority of the affected covered entities are based in California and did not contract with Trizetto as a business associate. Trizetto was a subcontractor used by OCHIN, a provider of HealthIT solutions, workforce, and operational solutions to rural and community health centers. OCHIN was provided with certain patient data as required to perform its contracted services, and OCHIN subcontracted certain functions to TriZetto Provider Solutions. The incident highlights the wide-reaching effects of a cyberattack on a business associate or one of its vendors.

The HIPAA Journal is tracking breach reports, and confirmed data breaches are listed in the table below when each affected entity reports the breach to state attorneys general, the HHS’ Office for Civil Rights, makes a media announcement, or has contacted the HIPAA Journal directly. The list below is not exhaustive.

This post was first published on December 11, 2025, and it will continue to be updated as further information about the TriZetto data breach is released. 

The post Trizetto Data Breach: PHI of 3.4 Million Individuals Exposed appeared first on The HIPAA Journal.