Native American Health Center Data Breach Exposes Social Security Numbers

Native American Health Center, a nonprofit Federally Qualified Health Center in the San Francisco Bay Area, recently experienced a data breach involving sensitive patient information. The breach was disclosed to the California Attorney General on Jan. 6, 2026, and affected individuals have been notified.

On Dec. 15, 2025, Native American Health Center was informed by OCHIN, its electronic medical record system provider, that a third-party company, TriZetto, experienced unauthorized access to one of its systems. TriZetto supports the billing and insurance processing for the health center’s patients. The breach occurred when an unauthorized individual gained access to TriZetto’s systems, exposing a range of sensitive data.

The exposed information includes personally identifiable information (PII) such as name, Social Security number, date of birth and contact details, as well as protected health information (PHI) including certain health-related and insurance information. Not every patient was impacted, but the incident potentially affects a significant portion of the center’s patient population. There is no evidence at this time that the compromised information has been misused.

This breach is considered severe due to the nature of the data involved and the fact that the attack targeted a third-party vendor responsible for handling sensitive medical and insurance information. The breach was not caused directly by Native American Health Center or OCHIN, but rather by a security lapse at TriZetto, highlighting the risks associated with third-party vendors in the healthcare industry.

For more details, the official disclosure can be reviewed on the California Attorney General’s data breach report page.

Native American Health Center's response

In response to the breach, Native American Health Center immediately began working with OCHIN to understand the scope of the incident and to ensure the security of patient data. TriZetto took immediate steps to halt the unauthorized activity and secure its systems once the breach was discovered. The health center is now reviewing its own processes and working closely with OCHIN to monitor vendor compliance and strengthen security safeguards.

Affected individuals are being notified directly and offered support resources. TriZetto has engaged Kroll, a leading provider of identity theft protection and notification services, to assist those impacted. Kroll will provide affected patients with notification services, call center support and identity theft protection. Beginning Jan. 5, 2026, TriZetto will operate a dedicated, toll-free call center at 844-572-2724 for questions and support.

Those who may have been affected are encouraged to remain vigilant for suspicious activity, such as unexpected bills, unfamiliar insurance statements or communications requesting personal information. If anything unusual is noticed, it is recommended to contact health insurers or financial institutions immediately.