TriZetto data breach compromised health data of over 3.4m U.S. individuals

TriZetto Provider Solutions, a leading provider of revenue cycle management services to healthcare organisations in the U.S., has announced that a data breach it detected in October compromised the personal and healthcare information of more than 3.4 million individuals.

 

The Cognizant-owned revenue cycle management company made the announcement in a data breach notification shared with the Attorney General of Oregon earlier this month. The company stated that the theft of personal and healthcare information of affected individuals began in November 2024 and continued until it was discovered and contained.

 

According to HIPAA Journal, TriZetto also informed the Texas Attorney General that the data breach incident impacted as many as 171,158 Texas residents, and made similar reports to the Attorney Generals of California, Massachusetts, New Hampshire, and Vermont without declaring the number of affected individuals from the respective states.

 

The company stated in its data breach notifications that the incident compromised affected individuals’ names, addresses, Social Security Numbers, dates of birth, medical information and health insurance information. The company did not state the number of affected physicians, clinics or healthcare organisations that avail its services directly or through intermediaries.

 

TriZetto has now started sending breach notification letters to affected individuals, stating the chronology of the incident, how much data was impacted and the steps it has taken to remediate the incident. Attorney Generals at several states have also started receiving breach notification letters from HIPAA-covered healthcare entities that were affected as a result of the data security incident at TriZetto.

 

One such notification filed by Gardner Health Services with the Attorney General of California stated that TriZetto first detected unauthorised access to a web portal, used by healthcare organisations to access its systems, on October 2, 2025, but later determined that the unauthorised access first occurred in November 2024, almost a year before it was discovered.

 

"TPS determined that, beginning in November 2024, an unauthorised third person began accessing some records related to insurance eligibility verification transactions that healthcare providers process to assess insurance coverage for treatment services they provide to patients," Gardner said.

 

"A thorough review of the affected data was conducted to identify what information was involved and the individuals to whom the data related. On or around November 28, 2025, TPS learned that the affected data may have included your name, address, date of birth, Social Security number, health insurance member number (which, for some individuals, may be a Medicare beneficiary identifier), provider name, health insurer name, primary insured information, and other demographic, health and health insurance information.

 

"The incident did not affect any payment card, bank account, or other financial information. At this time, we are not aware of any identity theft or fraud related to the use of any affected individual’s information, including yours," the provider added.  

 

TPS informed its healthcare industry customers that after discovering the breach, it promptly took measures to secure its systems and kicked off an investigation with help from leading cyber security experts. The company is implementing additional security protocols to enhance the security of its services and is offering free-of-cost credit monitoring, credit reporting and credit score services for one year.