The 3.4 Million
Patient Question

When TriZetto Provider Solutions disclosed that a breach had exposed records belonging to 3.4 million patients, most of the coverage focused on the company itself—its parent organization, the attack vector, the notification timeline. What got less attention was the downstream reality: thousands of healthcare practices, regional hospitals, and specialty clinics that had entrusted TriZetto with their claims processing, and who now faced their own regulatory obligations as a result of a breach they didn’t cause and couldn’t have prevented.

I got four calls in the week following the disclosure. All from small to mid-size healthcare practices in the Hudson Valley. The questions were the same: “We use TriZetto. Are we affected? What do we have to do? Are we liable?” The honest answers were: probably, more than you think, and it depends on your business associate agreement.

This is the reality of healthcare data privacy in 2026. Your risk surface extends well beyond your own four walls. Every vendor that touches protected health information—claims processors, billing services, EHR platforms, transcription services, cloud storage providers—is a node in your compliance chain. When one of those nodes fails, the regulatory obligations flow back to you. The Office for Civil Rights does not accept “our vendor got hacked” as an answer to why you didn’t have appropriate safeguards governing that relationship.

The pattern repeats with numbing regularity. In the last eighteen months: Change Healthcare’s breach disrupted claims processing for thousands of providers nationally and exposed an estimated 100 million patient records. TriZetto’s disclosure added another 3.4 million. Smaller breaches at billing companies, transcription services, and cloud-hosted EHR platforms added thousands more, most never making national headlines but each triggering the same regulatory cascade for the covered entities downstream.

For a mid-size healthcare practice, the math is stark. A typical practice with 20 providers might have 15 to 25 vendors touching PHI in some form. Each of those relationships should be governed by a HIPAA-compliant business associate agreement. Each vendor should have been assessed for adequate safeguards. Each should be monitored on an ongoing basis. In practice, most practices have BAAs with their major vendors—the EHR, the billing company, maybe the cloud provider—and little documentation beyond that. The transcription service. The patient messaging platform. The analytics tool the practice manager signed up for with a credit card. The AI-powered coding assistant the billing team started using last quarter. Each of those is a PHI exposure point, and most are ungoverned.

The Office for Civil Rights has been explicit in enforcement actions: a covered entity’s obligation to safeguard PHI does not end at the edge of its own network. When a business associate breach triggers a notification obligation, OCR investigators routinely examine whether the covered entity had appropriate oversight of that relationship. They look for a current, signed BAA. They look for evidence that the covered entity assessed the BA’s security practices. They look for documentation showing the CE monitored the relationship and took action when deficiencies were identified.

What they find, in most mid-size practices, is a signed BAA and little else. The BAA may be years old and may not reflect current data flows. The security assessment, if one exists, was often conducted at contract inception and never updated. Monitoring is typically nonexistent—no one reviews the BA’s security attestations (assuming they provide any), and no one verifies that the protections described in the BAA are actually in place.

This is not a hypothetical enforcement risk. OCR settlement agreements routinely cite inadequate business associate oversight as a contributing factor, even when the breach originated entirely at the business associate. The covered entity did not cause the breach. But the covered entity failed to manage the risk. In OCR’s framework, those are related failures.

The practices that called me after TriZetto were not large hospital systems with compliance departments and legal teams on retainer. They were a four-provider family medicine practice, a regional urgent care chain with six locations, a behavioral health group with twelve clinicians, and a solo orthopedic surgeon with a shared office staff of three. These organizations have the same HIPAA obligations as any covered entity. They do not have the same infrastructure to meet them.

Rural and regional healthcare practices face a compounding problem. They are more dependent on third-party service providers because they lack the scale to build capabilities internally. They are more vulnerable to vendor breaches because they have fewer alternatives and less leverage to demand security assurances. And they have the least capacity to respond when a breach occurs—no CISO, no privacy officer (or one who carries that title alongside three others), and no incident response retainer.

The four-provider family practice I spoke with had one person handling billing, compliance, credentialing, and human resources. She had been aware of the TriZetto disclosure for three days before calling. She had not yet determined whether her practice’s patients were affected because she couldn’t get a straight answer from TriZetto’s notification process. She had no template for a breach response. She had no relationship with a privacy attorney. And she had a genuine question that she asked with a mix of frustration and anxiety: “How am I supposed to do all of this?”

A vendor privacy program for a mid-size healthcare practice does not need to be elaborate. It needs to be real. The difference between a program that protects the practice and a binder that satisfies an auditor is operational: does someone actually review these agreements, assess these vendors, and track these relationships? Or is it paperwork?

The family practice implemented this framework in three weeks. The inventory took two days. They discovered four vendors they hadn’t previously identified as handling PHI—including a patient intake form tool and a cloud-based scheduling service. Updated BAAs were in place within ten days. The security assessment for their top five vendors (EHR, billing service, clearinghouse, lab interface, and cloud backup) was completed in a week. The ongoing monitoring calendar is now a recurring quarterly task.

Total cost: approximately $4,500 in advisory time. Total reduction in regulatory exposure: substantial. When the next vendor breach disclosure arrives—and it will—they will have documentation showing they managed the relationship with reasonable diligence. That documentation is the difference between a defensible position and an OCR finding.

The TriZetto breach will fade from the headlines. The next one will take its place. The practices that weather these events without regulatory consequence are not the ones that got lucky. They are the ones that built a manageable, documented, actively maintained vendor privacy program before the breach letter arrived. That work is available to any practice willing to invest a few weeks of focused effort. The alternative—discovering your exposure in the middle of someone else’s crisis—is more expensive in every way that matters.