Inside the TriZetto Breach: How Attackers Spent Nearly a Year Inside Healthcare Infrastructure Serving 200 Million Americans

A company most patients have never heard of quietly processed their insurance data, their Social Security numbers, their Medicare identifiers, and their health records. Then an unauthorized actor walked into its systems in November 2024, stayed for almost a year, and walked out with data belonging to 3,433,965 people. Nobody noticed for eleven months.

TriZetto Provider Solutions is not a name that appears on hospital walls or insurance cards. It operates behind the curtain of American healthcare, processing revenue cycles, managing claims clearinghouse transactions, and running insurance eligibility verification for a network that, according to its own website, spans approximately 875,000 healthcare providers and touches around 200 million people across the United States. That invisible position in the infrastructure is precisely what made this breach so consequential — and so dangerous.

The formal breach notification, filed with the Maine Attorney General on February 6, 2026, confirmed that 3,433,965 individuals had their protected health information (PHI) and personally identifiable information (PII) exposed or compromised. Subsequent filings with the attorneys general of Oregon, Texas, New Hampshire, California, Massachusetts, and Vermont have pushed estimated totals even higher, with some aggregates from those state disclosures alone exceeding 3.6 million affected individuals. The final count has not been confirmed as complete.

Who Is TriZetto and Why Should Anyone Care

TriZetto Provider Solutions is a Missouri-based healthcare technology company that has operated under the Cognizant umbrella since 2014, when Cognizant Technology Solutions acquired it. Cognizant is one of the largest IT services and consulting firms in the world, headquartered in Teaneck, New Jersey, with operations spanning dozens of countries. The TriZetto acquisition positioned Cognizant as a major player in healthcare IT infrastructure.

TriZetto's core function in the healthcare ecosystem is acting as a business associate under the Health Insurance Portability and Accountability Act (HIPAA). It serves physicians, hospitals, health systems, and insurers by handling revenue cycle management (RCM), billing, claims processing, and — critically — real-time insurance eligibility verification. That last function is where the breach originated.

The eligibility verification process relies on HIPAA-standard electronic data interchange transactions known as the 270 and 271. When a patient arrives for care, the provider's system sends a 270 inquiry to verify that patient's coverage status with a health insurer. The insurer returns a 271 response containing detailed eligibility and benefit information. TriZetto's platform sits in the middle of this exchange for a vast number of providers, which means it accumulates and stores historical eligibility transaction reports containing a dense bundle of personal and health data for millions of individuals. That stored data was what the attackers accessed.

Among TriZetto's reported client base are some of the largest names in American healthcare insurance, including UnitedHealth Group, Anthem, Cigna, Molina Healthcare, and Kaiser Permanente. TriZetto also processes approximately 2.6 billion healthcare transactions annually — a figure cited directly on Cognizant's own product pages — a scale that underscores why any compromise of its systems carries significant industry-wide consequences.

What Happened and When

The publicly documented timeline of this breach is stark in what it reveals about detection failure.

On November 19, 2024, an unauthorized party gained access to TriZetto's external systems. The specific attack vector has not been publicly disclosed. What is confirmed by TriZetto's own breach notification letters and regulatory filings is that the attacker accessed historical eligibility transaction reports stored within TriZetto infrastructure — stored data, not live transaction streams. The attacker was not inside a live production system intercepting data in real time. They were inside a storage environment where accumulated records sat, apparently accessible and largely unmonitored.

For approximately eleven months, that access continued. No alarm fired. No detection mechanism flagged the activity as anomalous.

On October 2, 2025, TriZetto finally identified suspicious activity within a web portal used by healthcare provider customers to access its systems. The company immediately moved to secure the portal and contain the incident. It engaged Mandiant, a leading cybersecurity incident response firm now owned by Google, to investigate the activity, review the security of the web platform, and confirm that the threat had been fully eradicated. Mandiant's involvement is notable — it is the firm that has handled response for some of the most significant cybersecurity incidents in recent years.

TriZetto's breach notification letter states that on October 2, 2025, the company identified suspicious activity in its provider web portal and moved immediately to investigate, engage external cybersecurity experts, and notify law enforcement. — TriZetto Provider Solutions breach notification letter, as cited in Paubox

The timeline from that point forward reveals a second, legally significant layer. On October 2, 2025, TriZetto detected the suspicious activity and secured the portal. But it was not until on or around November 28, 2025 — nearly two months later — that the company determined the specific PHI types that had been compromised. That November 28 date is the date that appears in the formal breach notification letters sent to affected individuals, because HIPAA's 60-day notification clock begins from when the covered entity or business associate knows that a breach has occurred and has completed a reasonable risk assessment — not necessarily from initial detection. (Some subsequent reporting has treated November 28 as the official discovery date, conflating it with the PHI determination date. The actual suspicious activity detection was October 2, 2025.) TriZetto began notifying affected providers on December 9, 2025. The formal breach notification to HHS's Office for Civil Rights and to multiple state attorneys general was filed on February 6, 2026. Individual notification letters also began going out in February 2026, though healthcare providers whose patients were affected had the option to have TriZetto manage that process on their behalf — meaning not all affected individuals received direct notification from TriZetto itself.

TriZetto has stated that no further unauthorized activity has been detected since October 2, 2025, and that the threat actor has been fully removed from its environment.

What Was Stolen

The compromised data is a combination of PII and PHI. The specific elements that may have been exposed for any given individual vary depending on the provider they used and how their records were stored in TriZetto's systems. According to the official breach notification and regulatory filings, the following categories of information were involved:

• Full legal names (patients and primary insureds)
• Home addresses
• Dates of birth
• Social Security numbers
• Health insurance member numbers
• Medicare beneficiary identifiers (in some cases)
• Health insurer names
• Information about primary insureds or beneficiaries
• Dependent information
• Other demographic, health, and health insurance data

TriZetto confirmed that no payment card numbers, bank account details, or other financial account information were included in the compromised data. No ransomware deployment has been reported, and as of the time of this writing, no threat actor group has publicly claimed responsibility for the attack.

The Eleven-Month Problem

The single fact that defines this breach above all others is the dwell time: the period between initial intrusion and detection. In this case, that gap was approximately eleven months. That is not a data point to skim past. It is the center of the entire story.

Under HIPAA's Security Rule (45 CFR § 164.308), covered entities and their business associates are required to implement procedures for regularly reviewing records of information system activity, including audit logs, access reports, and security incident tracking. The HIPAA Security Rule also requires a formal security incident response process. An eleven-month detection gap suggests that either effective monitoring was not in place, monitoring existed but did not flag the unauthorized access as anomalous, or alerts were generated but not acted on. None of those possibilities reflect well on the security posture of the organization responsible for handling PHI at this scale.

To frame the severity: during those eleven months, the attacker had sustained access to historical eligibility records tied to healthcare providers serving a combined patient population that runs into the millions. The attacker was not conducting a smash-and-grab. They had time to methodically access, copy, or exfiltrate data at whatever pace they chose.

Cognizant, TriZetto's parent company, was asked by reporters why detection took so long. Cognizant spokesperson William Abelson confirmed the company had eliminated the threat to its environment but declined to explain the delay in discovery. That silence has done little to quiet the growing legal scrutiny aimed at the company.

It is also worth noting — and the plaintiff attorneys in the class actions have not missed this — that Cognizant carries a documented pattern of security incidents that creates a particularly unflattering context for an eleven-month detection failure. In April 2020, the Maze ransomware group attacked Cognizant directly, resulting in expected costs of $50 million to $70 million according to statements made by Cognizant CFO Karen McLoughlin during a Q1 2020 earnings call. Then in August 2023, Scattered Spider operatives breached Clorox's network by calling Cognizant's service desk and requesting a password reset without proper identity verification. Clorox filed suit against Cognizant in July 2025 in California Superior Court (Alameda County), alleging gross negligence and claiming $380 million in damages from the resulting production shutdown. In the Clorox complaint, attorneys described the attack as successful not because of sophisticated technical exploitation but because Cognizant employees handed over credentials when asked. The TriZetto eleven-month detection gap is the third major security failure linked to Cognizant in five years. That pattern, not any single incident, is what the OCR and the class action plaintiffs will look at hardest.

Scope, Ripple Effects, and Affected Organizations

Because TriZetto operates as a business associate and in many cases as a subcontractor of other vendors, the organizational footprint of this breach is wide and layered. Not every healthcare provider that was affected had a direct contractual relationship with TriZetto. Some providers contracted with electronic health record (EHR) platforms or other health IT vendors who in turn used TriZetto as a downstream subcontractor. Those providers still had their patients' data exposed — they simply did not know TriZetto had it.

OCHIN, a nonprofit health IT consultancy that manages Epic-based electronic health records for more than 300 rural and community care providers across the United States, was among the confirmed affected organizations. OCHIN contracted with TriZetto for billing services. OCHIN disclosed that the breach affected approximately nine percent of its member patient network. Given that OCHIN's patient population exceeds 7.9 million individuals, that nine percent figure implies approximately 711,000 OCHIN-connected patients may have been affected through this single downstream relationship alone.

Individual providers that publicly confirmed their patients were among those affected include La Clinica de la Raza in California, with TriZetto having served as a subcontractor to OCHIN in that case. Healthcare providers across California, Oregon, and other states have also confirmed involvement. The HIPAA Journal, which has been tracking confirmed affected organizations in real time, notes that clients who delegated the notification process to TriZetto are not always publicly identified, meaning the full list of affected organizations remains larger than what is publicly documented.

Some individuals who received breach notification letters expressed confusion upon receipt because TriZetto's name meant nothing to them and the letter did not always clearly identify which of their own healthcare providers had shared their data with TriZetto. At least one California resident reportedly questioned whether the letter was a scam — a predictable outcome when patients receive breach notices from a company they have never directly interacted with.

Legal Fallout and Class Actions

Multiple class action lawsuits have been filed against TriZetto Provider Solutions and Cognizant in federal courts. The first wave — including Lytle v. TriZetto Provider Solutions LLC (Case No. 2:25-cv-18938) and Noble v. TriZetto Provider Solutions LLC (Case No. 2:25-cv-18967), filed in the U.S. District Court for the District of New Jersey in late December 2025 — were among the earliest. Additional cases were filed in Missouri federal court and in other jurisdictions. As of early March 2026, Cognizant and TriZetto are facing nearly two dozen proposed federal class action lawsuits related to this breach.

The complaints allege that TriZetto failed to implement reasonable cybersecurity measures, failed to detect the unauthorized access for nearly a year despite the volume and sensitivity of the data it held, and violated HIPAA by failing to adequately protect PHI. One complaint, filed on behalf of plaintiff Elizabeth Noble, alleged that the stolen data either had already been published or would be published imminently by cybercriminals, potentially on dark web forums or marketplaces.

"Cognizant, TriZetto's parent company, faces multiple class-action lawsuits for failing to secure sensitive data." — Censinet

The regulatory exposure is also significant. HHS's Office for Civil Rights has received the formal breach notification. OCR is authorized under HIPAA to investigate breaches and impose civil monetary penalties that can reach into the millions of dollars depending on the severity of the violation and the organization's history of compliance. Given the scale of this incident and the eleven-month detection gap, a formal OCR investigation is widely anticipated by healthcare compliance professionals.

TriZetto has offered to provide credit monitoring and identity theft restoration services to affected individuals at no cost, administering those services through Kroll, a major provider of post-breach identity protection. The company has also offered to handle HHS notifications, media notifications, and state regulator notifications on behalf of covered entity clients who request that assistance.

The Bigger Picture: Healthcare's Third-Party Problem

The TriZetto breach did not happen in isolation. It is the latest and among the largest entries in a pattern that has defined healthcare cybersecurity for the past several years: the systematic exploitation of third-party vendors and business associates who aggregate sensitive data from across the healthcare ecosystem.

The American Hospital Association's 2025 cybersecurity year review found that more than 80 percent of stolen protected health information records were taken from third-party vendors, software services, business associates, and non-hospital entities rather than directly from hospitals. That statistic alone should reframe how healthcare organizations think about their security perimeter. The weakest link is frequently not the hospital itself but the vendor sitting behind it, processing claims, managing eligibility, or storing records on behalf of hundreds or thousands of provider clients simultaneously.

The comparison to Change Healthcare is unavoidable and instructive. In February 2024, Change Healthcare — a clearinghouse subsidiary of UnitedHealth Group — suffered a ransomware attack by the ALPHV/BlackCat group that ultimately affected an estimated 192.7 million individuals, making it the largest healthcare data breach in U.S. history. Change Healthcare processes approximately 15 billion healthcare transactions annually. The attack disrupted prescription processing, claims submissions, and revenue cycles across the country for weeks. The breach was initially reported as affecting 500 individuals. The actual count grew to nearly 193 million.

TriZetto's breach does not involve ransomware or the operational disruption that defined Change Healthcare. But it follows the same structural logic: one vendor, embedded in the shared infrastructure of healthcare delivery, becomes a single point of failure for the data of millions of people who never chose to share their information with that vendor and likely did not know they had.

Healthcare data consistently commands the highest breach costs of any industry. Independent analysis has placed the average healthcare breach cost above $10 million per incident, reflecting the combination of forensic investigation, prolonged remediation, regulatory fines, patient notification, credit monitoring provision, legal defense, and reputational damage. The TriZetto incident, given its scale and the regulatory scrutiny it has already attracted, is likely to produce costs well above that average.

Where Does the Data Go — And Has It Already Been Used?

One question the breach notification letters do not answer, and that TriZetto has not publicly addressed, is what the attacker did with eleven months of access. The company has stated that as of February 2026 it is not aware of any identity theft or fraud connected to the stolen data. No ransomware group has claimed the attack. No data linked to TriZetto has surfaced on known dark web marketplaces or leak forums as of the time of this writing. That absence is not reassurance — it is ambiguity.

Attackers who access healthcare data and do not immediately monetize it through ransomware or dark web listings fall into a different threat category: long-horizon actors who hold data for targeted fraud campaigns, sell it through private channels rather than public forums, or stage it for use months or years later. The combination of Social Security numbers, Medicare identifiers, dates of birth, insurer names, and provider relationships is the precise data set used to file fraudulent Medicare reimbursement claims, fabricate insurance preauthorizations, or construct synthetic identities. These schemes take time to execute and do not announce themselves. The plaintiff complaint filed on behalf of Elizabeth Noble specifically alleged that the stolen data either had already been published or was expected to be published imminently on criminal marketplaces — which, as of this writing, has not been publicly confirmed one way or the other. For affected individuals, the practical implication is that the threat window is not days or weeks. It is years.

What Would Actually Fix This — Beyond the Standard Checklist

Every post-breach analysis produces the same list: stronger BAAs, better monitoring, more frequent vendor audits, mandatory encryption. Those steps are not wrong. But they are insufficient, and the TriZetto breach illustrates exactly why.

The deeper problem is architectural. TriZetto could theoretically implement every item on a standard healthcare cybersecurity checklist and still be structurally positioned as the single point of failure for millions of patients' data. The concentration of sensitive information across a vendor ecosystem creates risk that monitoring alone cannot resolve. What the TriZetto breach — and the Change Healthcare breach before it — actually argues for is a different model of data custody altogether.

Specifically: healthcare clearinghouses and business associates that aggregate historical eligibility records should not hold that data indefinitely in searchable, network-accessible storage. Eligibility transaction data serves an operational purpose — verifying coverage at the point of care. Once that transaction is complete and reconciled, the justification for retaining identifiable records in an internet-accessible portal diminishes significantly. A data minimization framework applied to clearinghouse operations — one that establishes maximum retention periods for historical eligibility data, requires tokenization of permanent identifiers like Social Security numbers and Medicare IDs, and mandates segregated cold storage with no network portal exposure — would have meaningfully reduced the blast radius of this breach even if the initial intrusion had not been detected.

The HIPAA Security Rule has historically treated data minimization as a soft requirement embedded in the Privacy Rule's minimum necessary standard rather than a hard technical control. Pending updates to the HIPAA Security Rule, which HHS proposed in 2024 and are expected to be finalized in 2026, signal a shift toward mandatory encryption requirements, mandatory multi-factor authentication, and explicit network segmentation standards. Those updates would have applied directly to the conditions that allowed this breach to persist for eleven months. Whether they would have prevented the initial intrusion is unknown — but they would have changed the detection equation substantially, because the proposed rules also strengthen audit log requirements and incident response procedure mandates for business associates.

For healthcare organizations evaluating their own BAA and vendor relationships after reading this, the more actionable shift is in how they treat subcontractor relationships. The TriZetto breach reached OCHIN-connected providers and their patients not through a direct TriZetto contract but through a downstream subcontractor chain. Standard BAA templates typically include language requiring subcontractors to enter their own agreements but do not require the covered entity to vet those subcontractors independently. Covered entities should insist on either visibility into or direct approval rights over any subcontractor relationship their primary vendor establishes that involves PHI — because as this breach demonstrates, patients bear the consequences of risk several tiers down from the provider they actually chose to trust.

Finally, there is a notification design problem that this breach exposed and that has no technical solution: patients receive breach letters from companies they have never heard of, describing data they did not knowingly give to those companies, with instructions to enroll in services they cannot readily evaluate. One California resident contacted the HIPAA Journal after receiving her TriZetto notification letter because it did not name the healthcare provider whose data TriZetto held, making the letter indistinguishable from a phishing attempt. The notification process, even when executed correctly, is currently structured to confuse the very people it is supposed to protect. That is a regulatory design failure, not just a TriZetto execution failure.

What Affected Individuals Should Do Now

If you received a notification letter from TriZetto Provider Solutions, or if you received healthcare services between November 2024 and October 2025 from any provider that uses TriZetto's systems for billing or eligibility verification, there are concrete steps you should take now.

Sign up for the Kroll identity monitoring service offered by TriZetto at no cost. Even if you are not certain you are among the 3.4 million affected individuals, the combination of data types exposed in this breach — Social Security numbers, Medicare identifiers, dates of birth, and insurance details — creates meaningful ongoing risk. Enroll if you have any reason to believe your data may have passed through TriZetto systems.

Place fraud alerts on your credit files with all three major credit bureaus: Equifax, Experian, and TransUnion. A fraud alert prompts lenders to take extra steps to verify identity before extending credit in your name. For stronger protection, consider a credit freeze, which entirely blocks new creditors from accessing your report. A freeze is free and can be lifted temporarily when needed.

Monitor your Explanation of Benefits (EOB) statements from your health insurer carefully. Medical identity theft often appears first as services, prescriptions, or procedures billed to your insurance that you did not receive. Report any unfamiliar claims to your insurer immediately. Review your Medicare Summary Notice if you are a Medicare beneficiary, particularly given that Medicare beneficiary identifiers were among the exposed data elements.

Save all correspondence from TriZetto, including the notification letter, any reference numbers provided, and records of any services you enroll in. If you choose to participate in the class action litigation, that documentation will be relevant. You can monitor the status of the lawsuits through the Public Access to Court Electronic Records (PACER) system using the case numbers listed above.

Be alert to targeted phishing attempts. The data stolen in this breach is precisely the kind of information used to craft convincing phishing emails or phone scams that appear to come from your insurer, your provider, or even from TriZetto itself. Do not click links in unsolicited emails claiming to be related to this breach. Navigate directly to any official service portals by typing the URL yourself.

Key Takeaways

1. Third-party risk is not theoretical: The TriZetto breach demonstrates that patients face meaningful exposure from vendors they have never interacted with directly. Healthcare organizations must treat their vendor ecosystem as an extension of their own security perimeter, with continuous monitoring, rigorous Business Associate Agreement enforcement, and direct visibility into subcontractor relationships that involve PHI.
2. Dwell time is the real measure of failure: Eleven months of undetected access is not an anomaly to be explained away — it is evidence of a monitoring and detection gap that HIPAA's Security Rule was specifically designed to prevent. The absence of timely detection is as serious a compliance failure as the breach itself. Pending 2026 HIPAA Security Rule updates, which include mandatory audit log requirements and enhanced incident response standards for business associates, would have applied directly here.
3. Health data theft has long-tail consequences: Unlike financial account credentials, the PII and PHI stolen in this breach cannot be changed. Social Security numbers, Medicare identifiers, and dates of birth are permanent. No ransomware group has claimed the attack and no data has surfaced publicly on dark web markets as of this writing — which does not mean the data is safe. It may mean it is being held for longer-horizon fraud campaigns that take months or years to execute.
4. Regulatory and legal exposure will be significant: With HHS OCR now holding a formal breach notification affecting 3.4 million individuals, and nearly two dozen class action lawsuits already filed against Cognizant and TriZetto, this is the third major security failure linked to Cognizant in five years. The cumulative pattern — 2020 Maze ransomware attack on Cognizant directly, 2023 Scattered Spider social-engineering attack on Clorox enabled by Cognizant's service desk, 2024–2025 TriZetto — is the context in which OCR will evaluate what "reasonable and appropriate" safeguards meant for this organization.
5. The healthcare infrastructure model has a structural vulnerability: Clearinghouses and business associates that aggregate data from thousands of provider-payer relationships create high-value, high-risk concentrations of sensitive information. The fundamental fix is not better monitoring of the same architecture — it is data minimization, tokenization of permanent identifiers, and elimination of indefinite retention in network-accessible storage. The industry's rate of third-party breach is not a coincidence — it is the predictable outcome of a model where security investment has not kept pace with data aggregation.
6. The notification system itself is broken: When a patient cannot tell the difference between a legitimate breach notification letter and a phishing attempt — because the letter does not name their healthcare provider and comes from a company they have never heard of — the regulatory notification framework has failed them regardless of whether the company followed the rules. That is a design problem that goes beyond any individual incident.

The TriZetto breach is not a story about one company failing to patch a vulnerability or one employee clicking a phishing link. It is a story about a structural reality in American healthcare: enormous concentrations of sensitive data sit inside vendor systems that many patients have never heard of, governed by compliance frameworks that have proven insufficient to prevent or detect sophisticated intrusions. The same parent company now faces legal action for three separate major security failures in five years. Until the industry addresses both the monitoring failures that allowed eleven months of undetected access and the architectural choices that make healthcare clearinghouses such high-value targets in the first place, incidents like this will not stop. They will only get larger.