Mission Neighborhood Health Center third party data breach affects 4K

Mission Neighborhood Health Center (MNHC), a California-based healthcare provider, has begun notifying patients of a data breach involving protected health information (PHI), potentially affecting 3,741 individuals.

What happened

Mission Neighborhood Health Center was notified on December 12, 2025, by business associate OCHIN, which supports MNHC’s Epic electronic health record system, of a data security incident involving OCHIN’s subcontractor, TriZetto, a healthcare eligibility and claims clearinghouse. While MNHC confirmed that its own systems were not directly accessed, PHI belonging to MNHC patients may have been involved.

According to information provided to MNHC, the incident stemmed from unauthorized access to certain TriZetto systems that occurred in November 2024. TriZetto identified and contained the activity and secured its systems on October 2, 2025.

OCHIN became aware of the incident on December 9, 2025, and notified MNHC three days later. MNHC subsequently received a list of potentially affected patients and began its investigation, mitigation, and notification efforts. On December 19, 2025, MNHC filed notice with the U.S. Department of Health and Human Services Office for Civil Rights.

What was said

According to the breach notification letter submitted to the State of California Department of Justice, MNHC states, “While there is no current evidence of misuse, we recommend that you take the following steps to protect yourself:

• Review your health insurance statements and explanation of benefits (EOBs) for any unfamiliar services or charges.
• Contact your health plan if you notice suspicious or incorrect activity.
• Keep copies of medical and insurance records for reference.”

In the know

A business associate is a third-party organization that performs services for a HIPAA-covered entity and, in doing so, creates, receives, maintains, or transmits PHI. These vendors can include electronic health record providers, billing and claims processors, cloud service providers, data analytics firms, and other subcontractors that support healthcare operations. While business associates are required to comply with HIPAA through contractual agreements, they often operate outside a provider’s direct control, limiting visibility into their security practices.

So, even if a healthcare provider’s internal systems are secure, a vulnerability within a business associate or its subcontractors can expose vast amounts of patient data. Since more and more healthcare organizations are relying on interconnected vendors, the attack surface expands, and breaches originating in the supply chain can be harder to detect, slower to contain, and more damaging.

In the first half of 2025, business associates were involved in 17 of the 107 reported email-related healthcare breaches, accounting for 16% of all such incidents. These breaches are also among the largest on record. For example, the Episource breach, involving a business associate of Optum, reportedly affected as many as 192.7 million Americans as of early August 2025. Correspondingly, regulatory enforcement has improved, with more than 75% of HIPAA resolution agreements tied to security incidents between 2020 and 2024 citing failures to conduct adequate enterprise-wide risk analyses that included third-party vendors.

Go deeper: Report: 2025 mid-year email breach data reveals there’s no slowing down

Why it matters

The MNHC breach shows how third-party relationships have become a major cybersecurity risk in healthcare. As healthcare organizations rely more on vendors for electronic health records, claims processing, and data management, a single weakness anywhere in the supply chain can compromise thousands or even millions of records.

For patients, these incidents increase the risk of identity theft, medical fraud, and long-term misuse of sensitive health information. For healthcare organizations, the consequences extend beyond breach response costs to include regulatory investigations, mandatory notifications, reputational damage, and potential civil liability.

Learn more: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What is a healthcare data breach?

A healthcare data breach is an incident in which protected health information (PHI) or sensitive personal data is accessed, disclosed, or used without authorization.

What is a third-party vendor breach?

A third-party vendor breach happens when a healthcare vendor or business associate experiences a security incident that exposes patient data.

What is a healthcare clearinghouse?

A healthcare clearinghouse processes health information, like insurance claims and eligibility data, between providers and insurers.