Variety Care notifies 17k of data breach

The Oklahoma-based healthcare provider reported the breach to the HHS late last year.

What happened

Variety Care recently reported a data breach to the Department of Health and Human Services (HHS) , stating that the incident impacted approximately 17,163 individuals.

On Variety Care’s website, the company noted impacted individuals would receive a physical letter via mail at some point in January this year.

Impacted information includes names, addresses, dates of birth, Social Security numbers, health insurance member numbers, health insurer names, provider names, and other demographic information.

Going deeper

According to the notice posted online, the breach is connected to one of Variety Care’s business associates, TriZetto Provider Solutions (TPS) that has also made headlines for the data breach.

The breach at TPS took place on October 2nd, 2025, within one of the company’s web portals that is used by some customers to access Variety Care’s system. After TPS became aware of suspicious activity, it quickly launched an investigation and took steps to mitigate the issue.

The investigation determined that the breach actually began far earlier, in November of 2024, when an unauthorized actor began accessing “some records related to insurance eligibility verification transactions,” that are used by providers to determine insurance coverage. Providers like Variety Care began being notified on December 9th, 2025.

In the know

Most large and small healthcare organizations work with business associates for a variety of reasons, from administrative tasks like billing, to partnering with companies like Paubox to maintain security. While cybersecurity and data protection is built into every aspect of working with Paubox, many healthcare companies partner with vendors without paying significant attention to the potential risk. According to a Paubox report, partnering with vendors can introduce an “invisible risk” because healthcare organizations may not know how that data is being treated or what risks it might be exposed to. In 2025, business associate email exposure accounted for 28% of email incidents reported to the HHS. Before using any business associate, healthcare organizations should carefully vet their data security practices and form a business associate agreement.

The big picture

Variety Care is actively taking steps to prevent a breach like this from occurring again, and noted that TPS is similarly implementing additional protective measures. Variety Care is offering credit monitoring and TPS is providing fraud assistance for anyone who may become a victim.

Victims of the TriZetto breach are slowly coming forward, with several other providers, like Gardner Health Services, releasing breach notifications. Like with many business associates, it can be difficult to determine the true impact of the data breach; many providers are notified individually and it’s unclear how many providers were impacted. The true number of impacted individuals may not be known for some time.

Read more: TriZetto alerts clients to extended network intrusion.

FAQs

Why did the breach go unnoticed for so long?

It’s common for breaches to go unnoticed, especially if cybersecurity is not regularly audited by the breached company. Many hackers will only trigger alert systems or make their presence known after they exit the infiltrated system. The longer a malicious actor is able to step in a network, the more data they can still and damage can be inflicted. Organizations should actively monitor network activity to prevent issues like this from arising.

Does having information stolen in a breach guarantee fraud or identity theft?

No. Having data stolen does not necessarily mean the information will be published on the dark web or be used by malicious actors, but it does greatly increase the risk. Once information is hacked, it’s possible that the hacker will try to sell the data or use it as a bargaining chip. Then, other malicious actors may try to use the data for identity theft or fraud.