Sacramento Clinic Blames Vendor for Patient Data Breach

Got story updates? Submit your updates here. ›

One Community Health, a Sacramento nonprofit clinic, is telling patients that a recent data breach originated with a third-party vendor, TriZetto Provider Solutions, and not its own internal systems. The clinic faces a class-action lawsuit from a patient alleging failure to adequately protect patient information, which the lawsuit claims was shared with TriZetto without sufficient encryption. One Community Health says it is working with its electronic health record partner OCHIN and TriZetto while also conducting its own security reviews.

Why it matters

This case highlights the risks clinics and hospitals face when relying on third-party vendors for critical services like electronic health records. Breaches originating from vendors can quickly spill over into patient trust and lead to lawsuits, regulatory scrutiny, and reputational damage for the healthcare providers.

The details

According to One Community Health's notice, TriZetto detected suspicious activity on October 2, 2025 and provided the clinic with lists of potentially affected patients. TriZetto's investigation found that an unauthorized actor accessed historical eligibility transaction reports beginning in November 2024 and continuing until October 2, 2025. The exposed records can include names, dates of birth, Social Security numbers and health insurance identifiers.

• TriZetto detected suspicious activity on October 2, 2025.
• The unauthorized access to records began in November 2024 and continued until October 2, 2025.
• One Community Health filed a breach notification with the California Attorney General's office on November 1, 2024.

What they’re saying

What’s next

The judge in the case will decide on Tuesday whether or not to allow Walker Reed Quinn out on bail.