Plexus - March 2026

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

A Summary of the White Paper, “Navigating the ChiroTouch/TriZetto HIPAA Breach”

White Paper by Ty Talcott, DC, CHPSE Summary by Jeff Curwen, CAE

What Chiropractors Need to Know— and What to Do Now

Audience: Doctors, chiropractic practice owners, office managers, billing leaders

Purpose: Practical, chiropractic-focused guidance to help you respond to the ChiroTouch / TriZetto incident, protect your patients, and document HIPAA compliance.

Educational Notice (Not Legal Advice): This white paper is for general educational purposes only and does not constitute legal advice. HIPAA requirements and timelines vary based on facts, vendor contracts, and state law. Consult qualified legal counsel for advice specific to your situation.

Key Takeaways for Chiropractors (Read First) • If you use ChiroTouch and submit claims or eligibility transactions through TriZetto, your patients’ PHI may have been involved—even though your office was not directly attacked.

• Vendor involvement does not eliminate your responsibility. Your response must be timely, appropriate, and documented.

• TriZetto and Kroll may assist with notifications, reporting, and credit monitoring, but this is delegated work—not transferred liability. You must oversee, confirm, and document what is done.

• Time matters. HIPAA generally requires notification without unreasonable delay and no later than 60 days after discovery. Treat the date you receive notice as Day 0 for tracking.

• Documentation is your defense. Your strongest protection is a clear record of what you knew, when you knew it, and what you did.

• Use this incident as a compliance stress test. Practices with current policies, training, risk analyses, and business associate oversight fare best.

Background: What Happened in the TriZetto Breach

TriZetto Provider Solutions, a Cognizant-owned provider

of revenue management and clearinghouse services, reported unauthorized access to a web portal used by certain healthcare providers.

Key Facts • October 2, 2025: TriZetto detected suspicious activity and secured the portal.

• TriZetto engaged Mandiant and law enforcement to investigate and remediate.

• Forensics determined an unauthorized third party accessed historical eligibility transaction reports from November 24, 2024, for nearly 11 months before discovery.

• Affected data included PHI of patients of certain provider clients, including chiropractic practices using ChiroTouch and routing transactions through TriZetto.

12 www .ch ir oh ealth.or g Information Potentially Involved

• Names, addresses, dates of birth • Social Security numbers • Health insurance member numbers (including Medicare numbers in some cases) • Insurer names • Information about the primary insured or beneficiary • Other demographic, health, and insurance information

TriZetto reports no financial account data was involved and no further unauthorized activity has been detected since October 2, 2025.

Why Chiropractors Should Care

If your practice submits claims or eligibility transactions through TriZetto (directly or indirectly), your patients’ PHI may have been stored in the affected environment—even though the breach occurred at a third-party vendor.

Why This Is an Emergency

Under HIPAA’s Breach Notification Rule, once a covered entity becomes aware of a breach involving unsecured PHI, notifications are generally required without unreasonable delay and no later than 60 days after discovery.

When a business associate notifies you of a breach involving your patients’ PHI, you must act immediately. Additional reporting (HHS/ OCR, state regulators, or media) depends on the facts, number of individuals affected, and state law.

Failure to act can lead to:

• Significant fines and penalties • OCR = or state investigations • Allegations of willful neglect

Bottom line: You may not have caused the breach, but you are accountable for how you respond.

What TriZetto and Kroll Are Offering

TriZetto has notified affected providers and, often through Kroll, may offer:

• Preparation and mailing of patient notification letters • Notifications to HHS/OCR, state regulators, and media (if required)

• Lists of affected individuals and data summaries • Complimentary credit monitoring, fraud consultation, and identity theft restoration

These services may be provided at no cost if you enroll by the stated deadline (e.g., January 19, 2026, if applicable).

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32