Full Report
On January 12, Valley Family Health Care (VFHC) notified HHS after learning that the TriZetto Provider Solutions (TPS) breach had affected 4,300 of their patients. The TPS breach, which began in November 2024, involved their patients’ names, addresses, dates of birth, Social Security numbers, health insurance member numbers (including Medicare beneficiary identifiers), health insurer names,... Source
Analysis Summary
# Incident Report: VFHC Targeted by Third-Party Breach and Insomnia Ransomware Group
## Executive Summary
Valley Family Health Care (VFHC) suffered two significant data security incidents in early 2026. The first was a downstream impact from a breach at TriZetto Provider Solutions (TPS) affecting 4,300 patients, followed by a direct, large-scale ransomware attack by the "Insomnia" threat group resulting in the exfiltration and subsequent dumping of over one million records containing sensitive Protected Health Information (PHI).
## Incident Details
- **Discovery Date:** January 12, 2026 (TPS Breach); March 7, 2026 (Insomnia Leak Site Listing)
- **Incident Date:** November 2024 (TPS Breach Start); Early 2026 (Insomnia Attack)
- **Affected Organization:** Valley Family Health Care (VFHC)
- **Sector:** Healthcare
- **Geography:** Idaho and Oregon, USA
## Timeline of Events
### Initial Access
- **Date/Time:** November 2024 (TPS breach); Date unknown for direct VFHC attack.
- **Vector:** Third-party compromise (TPS); Unknown for direct VFHC attack.
- **Details:** TPS suffered a breach that eventually exposed VFHC patient data. Later, Insomnia actors gained direct access to VFHC servers.
### Lateral Movement
- **Details:** Not explicitly disclosed, but threat actors accessed multiple directories including "Secure Email" folders and general administrative file shares containing incident reports and patient charts.
### Data Exfiltration/Impact
- **Details:** Insomnia claimed the exfiltration of over one million records. Analysis of the data dump confirmed the presence of SSNs, Medicaid IDs, patient charts, and internal confidential incident reports.
### Detection & Response
- **How it was discovered:** TPS notification (January 12); Monitoring of dark web leak sites (March 7).
- **Response actions taken:** VFHC posted a substitute notice on their website regarding the TPS incident; no public statement has been made regarding the direct Insomnia breach.
## Attack Methodology
*Note: Specific technical details for the Insomnia group's entry into VFHC were not disclosed in the source.*
- **Initial Access:** Supply chain/Third-party (TPS); Unknown (Insomnia).
- **Collection:** Scraped internal servers for unsecured PDF patient charts and demographic data.
- **Exfiltration:** Exfiltrated data to a leak site for extortion purposes.
- **Impact:** Data exfiltration and public dumping of sensitive PHI and internal compliance documents.
## Impact Assessment
- **Financial:** Potential HIPAA fines and costs associated with credit monitoring for over 1 million affected individuals.
- **Data Breach:** SSNs, DOBs, Medicare/Medicaid IDs, health insurance info, and detailed patient medical charts.
- **Operational:** Potential disruption of services (typical of Insomnia ransomware), though not confirmed.
- **Reputational:** High; sensitive internal safety and compliance reports were leaked due to lack of encryption.
## Indicators of Compromise
- **Network indicators:** No IP/URL indicators provided in the source.
- **File indicators:** Data tranche dumped on Insomnia leak site.
- **Behavioral indicators:** Presence of "Insomnia" threat group on dark web markets claiming VFHC as a victim.
## Response Actions
- **Containment measures:** Unknown.
- **Eradication steps:** Unknown.
- **Recovery actions:** Notification of HHS regarding the TPS-specific breach.
## Lessons Learned
- **Redundant Data Retention:** Confidential reports from as far back as 2018 were still accessible on the network, suggesting a lack of data lifecycle management.
- **Internal Security Gaps:** While some folders were password-protected, the "vast majority" of files containing PHI were unencrypted and unsecured.
- **Third-Party Risk:** Third-party vendors (TPS) remain a significant primary vector for healthcare data exposure.
## Recommendations
- **At-Rest Encryption:** Implement mandatory AES-256 encryption for all directories containing PHI and internal compliance documents.
- **Data Minimization:** Implement strict data retention policies to archive or delete sensitive records (like the 2018 incident report) that are no longer required for active operations.
- **Enhanced Monitoring:** Deploy Dark Web monitoring services to identify data leaks before they are publicized by threat actors.
- **Access Control:** Enforce the Principle of Least Privilege (PoLP) to ensure sensitive administrative reports are not accessible to general user accounts or vulnerable service accounts.