Bay Area Community Health patient data exposed in year-long third-party breach

Bay Area Community Health (BACH) reports a data breach exposing sensitive patient records. 

The incident originated at TriZetto Provider Solutions (TPS), a third-party insurance clearinghouse that integrates with BACH’s electronic medical record system, OCHIN. TPS, a subsidiary of Cognizant, discovered the breach after identifying suspicious activity on a web portal used by its healthcare provider clients.

The investigation conducted by cybersecurity firm Mandiant confirmed that unauthorized actors maintained access to TPS systems for nearly a year. The intrusion began in November 2024 and remained undetected until October 2, 2025. The attackers accessed historical eligibility transaction reports containing protected health information and personally identifiable information (PII). TPS notified BACH of the compromise on December 15, 2025.

The compromised data includes:

• Full names and contact information
• Social Security numbers
• Dates of birth
• Health insurance member numbers and insurer names
• Medicare beneficiary identifiers
• Health-related and insurance eligibility information

The number of affected BACH patients is not disclosed, but the organization serves over 100,000 individuals across Alameda and Santa Clara counties in California. 

The provider is offering complimentary credit monitoring and identity restoration services.