Unauthorised Access Healthcare IT / Revenue Management · United States · March 2026

TriZetto Provider Solutions

Analysis of the TriZetto Provider Solutions data breach affecting over 3.4 million patients. An 11-month unauthorised access to healthcare claims processing systems exposed SSNs and health data.

Records Affected

Over 3.4 million individuals (and growing)

Attack Type

Unauthorised Access

Location

United States

Data types exposed

Names addresses dates of birth Social Security numbers health insurance member numbers Medicare beneficiary identifiers demographic and health-related information

What Happened

TriZetto Provider Solutions, a Missouri-based subsidiary of Cognizant that provides revenue management and claims processing services to healthcare providers, disclosed a data breach affecting multiple healthcare clients and their patients.
According to reporting by BleepingComputer and the HIPAA Journal, TriZetto identified suspicious activity on one of its web portals on October 2, 2025. A forensic investigation, conducted with the assistance of Mandiant, determined that unauthorised access had begun as early as November 2024, meaning the threat actor had access to TriZetto's systems for approximately 11 months before detection.
The compromised data reportedly includes names, addresses, dates of birth, Social Security numbers, health insurance member numbers, Medicare beneficiary identifiers, and other demographic and health-related information tied to insurance eligibility verification transactions. TriZetto has stated that financial account numbers such as bank or credit card details were not part of this breach.
A filing with the Maine Attorney General confirmed the number of affected individuals at 3,433,965 as of early March 2026. TriZetto has noted that this number may increase as the data review continues.
Multiple healthcare providers have issued their own breach notifications as a result, including San Francisco Community Health Center and MercyOne. Several class-action lawsuits have been filed against Cognizant, alleging delayed notification and insufficient cybersecurity measures.
No ransomware group has publicly claimed responsibility, and there are no confirmed reports of the data appearing on dark web forums at the time of writing.

Timeline

  • November 2024 — Unauthorised access to TriZetto web portal begins
  • October 2, 2025 — Suspicious activity detected on web portal; forensic investigation initiated with Mandiant
  • Late 2025 — Individual notifications begin for affected patients
  • Early March 2026 — Filing with Maine Attorney General confirms 3,433,965 individuals affected
  • March 2026 — Multiple class-action lawsuits filed against Cognizant

Impact and Risk Assessment

For Individuals

Over 3.4 million patients had their SSNs, health insurance details, and Medicare beneficiary identifiers exposed, creating long-term identity theft and medical fraud risk.
Many affected individuals had no direct relationship with TriZetto and may not understand how their data came to be compromised through a downstream processor.
The 11-month dwell time means threat actors had extended access to ongoing eligibility verification transactions.

For Organisations

Multiple healthcare providers including San Francisco Community Health Center and MercyOne have had to issue their own breach notifications.
Cognizant faces multiple class-action lawsuits alleging delayed notification and insufficient cybersecurity measures.
Healthcare providers that relied on TriZetto must now assess their own HIPAA compliance obligations in light of their business associate's breach.

Regulatory Context

HIPAA breach notification requirements apply. Under HIPAA, covered entities remain responsible for ensuring their business associates protect patient data.
The extended dwell time and notification timeline may draw scrutiny from HHS Office for Civil Rights regarding timely breach reporting obligations.

What Should You Do?

For Individuals

  • If you have received healthcare services from a provider that uses TriZetto for claims processing, monitor your credit reports and explanation of benefits statements for signs of identity misuse or medical fraud.
  • Consider placing a fraud alert with major credit bureaus if you receive a notification letter from TriZetto or an affected healthcare provider.

For Security Professionals

  • Review your vendor risk management programme and verify that agreements with business associates include meaningful security requirements and timely breach notification clauses.
  • Ensure that downstream processors handling eligibility verification data have detection and response capabilities that go beyond annual audits.
  • If you are a healthcare provider or business associate handling protected health information, this is a good time to confirm that your vendors have continuous monitoring in place.

Learnings and Recommendations

An 11-month dwell time is a significant concern, but it is unfortunately not unusual in the healthcare sector. Web portals that handle sensitive data, especially those used by third-party vendors and business associates, need continuous monitoring and anomaly detection. Periodic access reviews are not enough when a portal is processing millions of eligibility transactions.
This breach also reinforces the challenge of third-party risk in healthcare. Many of the individuals affected had no direct relationship with TriZetto. They were patients of healthcare providers that used TriZetto as a downstream processor. Under HIPAA, the covered entity remains responsible for ensuring its business associates protect patient data, but in practice, visibility into a vendor's security posture is often limited.
If you are a healthcare provider or a business associate handling protected health information, this is a good time to review your vendor risk management programme, verify that your agreements include meaningful security requirements, and confirm that your vendors have detection and response capabilities that go beyond annual audits.

References

[1] BleepingComputer - Cognizant TriZetto breach exposes health data of 3.4 million — https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/
[2] HIPAA Journal - Trizetto Data Breach — https://www.hipaajournal.com/trizetto-provider-solutions-data-breach/
[3] eSecurity Planet - TriZetto Data Breach Triggers Class-Action Lawsuits — https://www.esecurityplanet.com/threats/trizetto-data-breach-triggers-class-action-lawsuits-against-cognizant/
[4] San Francisco Community Health Center - TriZetto Data Security Incident — https://www.sfcommunityhealth.org/trizetto-data-security-incident
[5] MercyOne - TriZetto Provider Solutions Security Incident — https://www.mercyone.org/press-releases/trizetto-provider-solutions-security-incident

Source

https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/ ↗
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories