Cognizant TriZetto Breach Exposes Health Data of 3.4 Million Patients
TriZetto Provider Solutions, a healthcare IT company owned by Cognizant and serving approximately 875,000 healthcare providers across the United States, has confirmed a data breach originating from a November 2024 cyberattack that went undetected for nearly a year — ultimately exposing the protected health information (PHI) of 3,433,965 individuals.
The incident was formally reported to the US Department of Health and Human Services' Office for Civil Rights (OCR) on February 6, 2026, and breach notification letters are now being distributed to affected individuals.
Breach Timeline
| Date | Event |
|---|---|
| November 19, 2024 | Unauthorized access begins within TriZetto web portal systems |
| October 2, 2025 | Suspicious activity detected on the web portal used by healthcare provider customers |
| October 2025 – early 2026 | Mandiant engaged to investigate; forensic review and remediation underway |
| February 6, 2026 | HHS OCR breach notification filed listing 3,433,965 affected individuals |
| March 2026 | Individual breach notification letters begin distribution |
The gap between initial compromise (November 2024) and detection (October 2025) represents approximately ten months of undetected access — a significant dwell time that allowed extensive data exposure across the portal systems used by healthcare provider customers.
What Data Was Exposed
The exposed dataset is a comprehensive profile of healthcare and personal identity information:
| Data Category | Examples |
|---|---|
| Personal Identifiers | Full name, address, date of birth |
| Government IDs | Social Security numbers (SSNs) |
| Health Insurance | Health insurance member numbers, insurer name, primary insured details |
| Government Healthcare | Medicare Beneficiary Identifier (MBI) numbers |
| Clinical Data | Provider names, health plan details, demographic information |
Payment card and bank account data were not included in the exposed records, according to the company's notification. However, the presence of SSNs and Medicare IDs elevates the risk profile significantly — both identifiers are long-lived and widely used across identity verification systems.
About TriZetto and Cognizant
TriZetto Provider Solutions provides software platforms and services to health insurers and healthcare providers. Its systems are embedded in the administrative workflows of a substantial share of the US healthcare ecosystem:
- Serves approximately 200 million covered lives through its platforms
- Works with roughly 875,000 healthcare providers nationwide
- Is a wholly-owned subsidiary of Cognizant Technology Solutions, one of the world's largest IT services firms
The scale of TriZetto's healthcare sector integration means a single breach of its provider-facing web portal can cascade across thousands of healthcare organizations whose patients' data flows through the platform.
Response and Investigation
Cognizant engaged Mandiant, a leading incident response firm, to:
- Investigate the scope and root cause of the unauthorized access
- Review the security posture of the affected web portal application
- Ensure full remediation of the intrusion vector
TriZetto and Cognizant are now facing nearly two dozen proposed federal class action lawsuits related to the breach, alleging inadequate security controls and delayed breach notification.
The company states it has reviewed the security of the affected systems and implemented enhanced monitoring and controls following the investigation.
Regulatory and Legal Exposure
| Dimension | Details |
|---|---|
| HIPAA Obligation | Healthcare entities must report breaches affecting 500+ individuals to HHS OCR within 60 days of discovery |
| Individual Notification | State breach notification laws require timely notice to affected individuals |
| Class Actions | ~20 proposed federal class action suits filed |
| HHS OCR Filing | Filed February 6, 2026; publicly listed in the HHS "Wall of Shame" portal |
The ten-month dwell time — from November 2024 compromise to October 2025 detection — will likely be a central focus of regulatory scrutiny and litigation. HIPAA's Breach Notification Rule requires covered entities to notify HHS OCR within 60 days of discovery, but does not limit liability for the underlying dwell time.
Impact Assessment
This breach joins a growing list of large-scale healthcare IT vendor compromises that have cascading effects across the US health system:
| Impact Area | Analysis |
|---|---|
| Identity Theft Risk | SSNs and Medicare IDs create long-term identity fraud risk for 3.4M individuals |
| Healthcare Fraud | Medicare Beneficiary IDs can be exploited for fraudulent billing |
| Phishing Risk | Exposed data packages (name + insurer + provider) enable highly targeted healthcare phishing |
| Regulatory Fallout | Extended dwell time will draw HHS OCR scrutiny and potential enforcement action |
| Third-Party Risk | Breach at an IT vendor affects patients across hundreds of provider organizations |
Recommendations for Affected Individuals
- Request a free credit freeze at all three major bureaus (Equifax, Experian, TransUnion) — SSN exposure warrants immediate action
- Monitor your Medicare account at medicare.gov for unauthorized claims or changes to your Medicare Beneficiary Identifier
- Review your Explanation of Benefits (EOB) statements for unfamiliar medical charges that may indicate insurance fraud
- Enroll in identity monitoring services — TriZetto may offer complimentary enrollment; check your breach notification letter
- Be alert to healthcare-themed phishing — attackers with access to insurer and provider names can craft highly convincing emails and calls
- Place a fraud alert with one credit bureau (which then notifies all three) as an additional layer of protection
Key Takeaways
- 3.4 million individuals had protected health information exposed in a 2024 cyberattack on Cognizant's TriZetto healthcare IT platform
- Unauthorized access began November 2024 but was not detected until October 2025 — a ~10-month dwell time
- Exposed data includes SSNs, Medicare IDs, and health insurance records — a combination that creates significant identity fraud and healthcare billing fraud risk
- Mandiant was engaged for forensic investigation and remediation; ~20 federal class actions have been filed
- The breach highlights third-party risk in healthcare IT — a single vendor compromise can expose patients across hundreds of provider organizations
Sources
- Cognizant TriZetto breach exposes health data of 3.4 million patients — BleepingComputer
- TriZetto confirms 3.4M people's health and personal data was stolen — TechCrunch
- Trizetto Data Breach: PHI of 3.4 Million Individuals Exposed — HIPAA Journal
- Trizetto Notifying 3.4M of 2024 Hack Detected in 2025 — GovInfoSecurity