TriZetto/Cognizant 3.4M Patient Records Stolen in 11-Month Healthcare Supply Chain Breach

• .What: Unauthorized actor accessed TriZetto Provider Solutions' eligibility verification web portal for approximately 11 months, exfiltrating historical transaction reports containing protected health information of 3.4 million patients.
• .Who: TriZetto Provider Solutions, a Cognizant subsidiary (acquired 2014 for $2.7 billion). Affects 3,433,965 individuals across dozens of healthcare providers including community health centers, county health departments, and health systems in California, Oregon, Texas, Massachusetts, and other states.
• .How: Web portal vulnerability - specific attack vector not disclosed by TriZetto or Mandiant. The compromised portal was used by healthcare providers to access insurance eligibility verification systems. The attacker accessed historical eligibility transaction reports (HIPAA X12 270/271 transaction data).
• .Data: Names, addresses, dates of birth, Social Security numbers, health insurance member numbers, Medicare beneficiary identifiers (for some individuals), health insurer names, provider names, primary insured or dependent information, and other demographic, health, and health insurance information. No payment card, bank account, or other financial information was involved.
• .Actor: Unknown. No threat actor has claimed responsibility. No ransomware group has been attributed. No data has been confirmed on dark web marketplaces as of March 2026.
• .Impact: Nearly two dozen proposed federal class action lawsuits. HHS OCR investigation expected. Mandiant-led forensic investigation. 12 months of Kroll credit monitoring offered to affected individuals. Cognizant declined public comment.

On October 2, 2025, TriZetto Provider Solutions detected suspicious activity within a web portal used by some of its healthcare provider customers to access the company's eligibility verification systems.

TriZetto immediately secured the portal, engaged Google-owned cybersecurity firm Mandiant to conduct a forensic investigation, and notified law enforcement.

The Mandiant investigation, which concluded in late November 2025, determined that an unauthorized actor had first accessed historical eligibility transaction reports within the TriZetto system on November 19, 2024 - approximately 11 months before detection.

The compromised data related to insurance eligibility verification transactions, which are processed when healthcare providers confirm a patient's insurance coverage before treatment.

These transactions follow the HIPAA X12 270/271 standard: the 270 transaction is the eligibility inquiry sent from a provider or clearinghouse to a payer, and the 271 is the payer's structured response containing coverage details.

TriZetto's clearinghouse infrastructure processes over 4 billion transactions annually, connecting more than 11,000 payers with 650+ practice management vendor integrations.

The web portal through which the attacker gained access was one of several interfaces TriZetto provides to healthcare clients. TriZetto holds SOC 2, EHNAC, and HITRUST certifications - industry security standards that the breach calls into question.

TriZetto has not disclosed the specific vulnerability exploited in the web portal, whether the attacker used compromised credentials or exploited an application-level flaw, or how the attacker evaded detection for 11 months while accessing historical reports.

Cybersecurity consultant Steven Adler, quoted by GovInfoSecurity, assessed that the prolonged dwell time likely resulted from "use of unreported stolen credentials, and overemphasis on data loss prevention defenses instead of behavior monitoring" - a pattern that allows attackers employing low-volume exfiltration strategies to evade discovery.

TriZetto Provider Solutions has operated as a Cognizant subsidiary since 2014, when Cognizant Technology Solutions (NASDAQ: CTSH) acquired the TriZetto Corporation for $2.7 billion in cash.

Cognizant is a Fortune 200 IT services company headquartered in Teaneck, New Jersey, with $21.1 billion in full-year 2025 revenue and approximately 351,600 employees globally.

The TriZetto breach is the third major security failure associated with Cognizant in six years:

In April 2020, the Maze ransomware group breached Cognizant's corporate network, maintaining access from April 9-11 and exfiltrating sensitive data including Social Security numbers, Tax IDs, financial information, driver's licenses, and passports.

The attack cost Cognizant between $50 million and $70 million in direct remediation and recovery costs.

In August 2023, Scattered Spider social engineers called Cognizant's IT helpdesk - which Cognizant operated under contract for Clorox - and convinced helpdesk agents to reset passwords and multifactor authentication tokens for Clorox employees without verifying caller identity.

The resulting breach shuttered Clorox factories and disrupted supply chains for weeks.

Clorox is suing Cognizant for $380 million, alleging that helpdesk agents provided passwords to attackers in real-time during recorded calls, offered to reset MFA without verification, and changed phone numbers used for SMS authentication at the attacker's request.

This pattern - Maze ransomware in 2020, Scattered Spider social engineering in 2023, and an 11-month undetected web portal compromise in 2024-2025 - demonstrates systemic failures in Cognizant's security posture across its own infrastructure and the subsidiaries it operates.

The full list of affected healthcare providers has not been publicly disclosed. Based on individual provider notifications and state attorney general filings, confirmed affected organizations include:

California:

• .Gardner Health Services (6,197 individuals)
• .Mission Neighborhood Health Center (3,741 individuals)
• .One Community Health (4,309 individuals)
• .Share Ourselves (2,864 individuals)
• .La Clinica de la Raza
• .San Francisco Community Health Center
• .Planned Parenthood Northern California
• .Open Door Community Health Centers
• .Native American Health Center
• .CE-Edinger Medical Group
• .Friends of Family Health Center
• .Harmony Health Medical Clinic and Family Resource Center
• .Lifelong Medical Care
• .Santa Barbara County Health Department
• .Santa Rosa Community Health Centers

Oregon:

• .Deschutes County Health Services (~1,300 patients)
• .Best Care (~1,650 patients)
• .La Pine Community Health Center (~1,200 patients)
• .Cascadia Health (~1,800 patients)
• .Columbia River Health (304 individuals - reported separately as TriZetto business associate)

Iowa:

• .MercyOne

Massachusetts:

• .Lynn Community Health

The concentration of community health centers and safety-net providers among the affected organizations is notable.

These organizations serve predominantly low-income, uninsured, and underinsured populations - patients who are least equipped to absorb the consequences of identity theft and who face the greatest barriers to credit monitoring and fraud resolution.

Several providers had direct business associate agreements with TriZetto; others were affected through subcontractor relationships, including providers using OCHIN Epic whose eligibility verification was routed through TriZetto's clearinghouse.

The compromised data varies by individual but includes the following categories:

• .Full names and residential addresses - standard PII enabling identity fraud, phishing, and physical mail-based social engineering.
• .Dates of birth - combined with SSNs and addresses, creates complete identity theft packages.
• .Social Security numbers - the most consequential exposure. SSNs cannot be changed. They are the primary identifier for credit applications, tax filings, and government benefits. Stolen SSNs enable tax refund fraud, synthetic identity creation, and long-term financial exploitation.
• .Health insurance member numbers - enables insurance fraud, false claims, and unauthorized access to healthcare services under the victim's identity.
• .Medicare beneficiary identifiers - Medicare fraud is a $60+ billion annual problem. Stolen Medicare numbers enable fraudulent billing for medical equipment, phantom services, and prescription drug schemes.
• .Health insurer names and provider names - contextual information that enables targeted phishing and pretext calls impersonating insurance companies or healthcare providers.
• .Primary insured or dependent information - reveals family relationships, employment status, and dependent coverage - data useful for social engineering and targeted fraud.
• .Demographic, health, and health insurance information - clinical data that cannot be changed. Unlike a credit card number, a diagnosis is permanent. Exposure of health information creates risks of discrimination, blackmail, and stigma.

TriZetto confirmed that no payment card, bank account, or other financial information was involved in the breach - the exposed data was limited to eligibility verification transaction records.

TriZetto and Mandiant have not disclosed the specific technical vulnerability exploited. Based on the available evidence - a web portal compromise that went undetected for 11 months while the attacker accessed historical reports - the following failure chain can be reconstructed:

1. Web portal vulnerability (specific flaw undisclosed). The attacker gained access through a web portal used by healthcare providers for eligibility verification.

Whether this involved compromised credentials, an application-level vulnerability (such as an insecure direct object reference, broken access control, or authentication bypass), or a combination remains unknown.

TriZetto's refusal to disclose the attack vector prevents the broader healthcare industry from assessing whether similar vulnerabilities exist in their own vendor portals.

2. Absence of behavioral monitoring and anomaly detection. The attacker accessed historical eligibility transaction reports over an 11-month period. This represents a sustained pattern of data access that should have been flagged by behavioral analytics.

A legitimate healthcare provider queries current eligibility for active patients.

An attacker systematically harvesting historical records across millions of patients produces a fundamentally different access pattern - different in volume, frequency, scope, and temporal distribution.

The absence of user and entity behavior analytics (UEBA) capable of detecting this anomaly is a critical failure.

3. No access controls on historical data. The eligibility verification web portal apparently provided access to historical transaction reports spanning years of data. Legitimate eligibility verification requires current coverage information for active patients.

There is no operational reason for a provider portal to expose bulk historical records.

The failure to implement role-based access controls, data minimization principles, and time-based access restrictions on historical data expanded the blast radius from current transactions to the full 3.4 million patient dataset.

4. Inadequate session monitoring and audit logging. An 11-month compromise window implies that either audit logs were not maintained, were not reviewed, or did not capture sufficient detail to identify anomalous access patterns.

Continuous session monitoring with automated alerting on access volume, geographic origin, and behavioral deviation should have detected the compromise within days or weeks - not months.

5. Failure to segment web-facing applications from backend data stores. A web portal vulnerability should not provide direct access to historical data repositories containing 3.4 million patient records.

Application-layer segmentation, API gateways with rate limiting, and data access proxies that enforce need-to-know restrictions would have limited the attacker's reach even after initial portal compromise.

• .HIPAA Security Rule (45 CFR 164.312) - TriZetto operates as a HIPAA business associate processing protected health information on behalf of covered entities (healthcare providers). The Security Rule requires implementation of access controls (164.312(a)), audit controls (164.312(b)), integrity controls (164.312(c)), and transmission security (164.312(e)). An 11-month undetected compromise of a web portal accessing PHI for 3.4 million individuals represents a potential failure across all four categories. HHS OCR investigates all breaches affecting 500+ individuals. Penalties for violations attributable to willful neglect that was not timely corrected reach $1.5 million per violation category per calendar year, with a maximum aggregate of $2.1 million per violation category per year.

• .HIPAA Breach Notification Rule (45 CFR 164.404-408) - HIPAA requires notification to affected individuals without unreasonable delay and no later than 60 days following discovery of a breach. TriZetto detected the breach on October 2, 2025. Individual notifications began on February 6, 2026 - 127 days after detection. TriZetto may argue that the investigation was ongoing and the breach scope was not confirmed until late November 2025, which would place notifications within the 60-day window from the November 28 determination date. However, the gap between October 2 detection and November 28 scope determination will be scrutinized as potentially unreasonable delay.

• .HIPAA Business Associate Obligations (45 CFR 164.502(e), 164.504(e)) - As a business associate, TriZetto is directly liable for HIPAA Security Rule violations. The 2013 HITECH Omnibus Rule extended direct enforcement authority to business associates. TriZetto's filing of the HHS OCR breach report on behalf of its covered entity clients (rather than individual providers filing separately) is procedurally correct but does not reduce TriZetto's direct liability.

• .State Breach Notification Laws - SSN exposure triggers mandatory notification in all 50 US states. TriZetto filed notifications in Maine, Oregon, Texas, New Hampshire, California, South Carolina, Massachusetts, and Vermont. Notification timelines vary by state: Texas requires notification within 60 days of breach discovery. California requires notification in the most expedient time possible and without unreasonable delay. The 127-day gap between detection and individual notification may violate state-specific timelines.

• .California Consumer Privacy Act (CCPA/CPRA) - California residents affected by the breach may bring private right of action claims for unauthorized access to nonencrypted or nonredacted personal information. Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. With California community health centers representing a significant portion of affected providers, the CCPA exposure is substantial. At $750 per consumer, even 100,000 California residents would generate $75 million in potential statutory damages.

• .FTC Act Section 5 - The FTC has authority to pursue unfair or deceptive trade practices. A company that holds SOC 2, EHNAC, and HITRUST certifications while operating a web portal with an exploitable vulnerability that goes undetected for 11 months may face deceptive practices claims if those certifications were represented to clients as evidence of adequate security. The FTC Health Breach Notification Rule may also apply to entities not covered by HIPAA, potentially extending to certain downstream data uses.

• .State Consumer Protection Statutes - The class action lawsuits filed in New Jersey and Missouri invoke state consumer protection laws. New Jersey's Consumer Fraud Act provides for treble damages. Missouri's Merchandising Practices Act prohibits deceptive practices in connection with the sale of services.

Several critical questions remain unanswered:

• .Attack vector: TriZetto has not disclosed whether the web portal was compromised through stolen credentials, an application-level vulnerability, or another method. This is the most critical gap. Without knowing how the attacker gained access, other healthcare organizations using similar vendor portals cannot assess their own exposure.
• .Threat actor identity and motivation: No group has claimed responsibility. It is unknown whether this was a financially motivated data theft, an opportunistic exploitation of a web vulnerability, or a targeted operation against healthcare data. The absence of ransomware deployment or public data listing is notable.
• .Dark web status: It is unknown whether the stolen data has been sold, published, or distributed on dark web marketplaces. The absence of a public claim may indicate private sale, ongoing monetization through identity fraud, or that the data has not yet been marketed.
• .Full list of affected providers: The total number of healthcare providers affected has not been disclosed. Individual provider notifications continue to emerge months after initial disclosure. The true scope of affected organizations may not be known for months.
• .Mandiant investigation findings: Mandiant's forensic investigation concluded in late November 2025. The full findings - including the specific vulnerability, attack methodology, indicators of compromise, and whether additional TriZetto systems were accessed - have not been publicly released.
• .Cognizant internal security review: Whether Cognizant has conducted or plans to conduct a broader security review of TriZetto's infrastructure and other Cognizant subsidiary systems in response to this breach is unknown.

1. Deploy user and entity behavior analytics (UEBA) on all data access portals. The single control that would have most likely detected this breach early is behavioral monitoring.

An 11-month pattern of anomalous data access - systematically harvesting historical eligibility records across millions of patients - produces access patterns fundamentally different from legitimate provider queries.

UEBA platforms (e.g., Microsoft Sentinel UEBA, Splunk UBA, Exabeam) should baseline normal access patterns and alert on deviations in volume, frequency, temporal distribution, and scope of record access within days, not months.

2. Implement strict role-based access controls with data minimization on the eligibility verification portal.

Historical eligibility transaction reports containing years of patient data should not be accessible through the same portal interface used for current eligibility verification.

Implement separate access tiers: current-day eligibility queries available through the standard portal, historical reports available only through a restricted interface requiring additional authentication, managerial approval, and audit logging.

Apply the principle of least privilege: a provider querying today's coverage should not have access to records from 2023.

3. Enforce phishing-resistant multifactor authentication on all web portal access. Every healthcare vendor portal handling PHI should require FIDO2 hardware security keys or device-bound passkeys for authentication.

If the breach was enabled by stolen credentials, MFA would have blocked the initial access entirely. If it was an application-layer vulnerability, MFA would have limited the attacker's ability to maintain persistent access.

4. Conduct continuous penetration testing and web application security assessments on patient-facing portals.

A web portal handling eligibility verification for 3.4 million+ patients should be subject to annual penetration testing at minimum, with continuous automated scanning for OWASP Top 10 vulnerabilities - including broken access control, injection flaws, and authentication failures.

TriZetto's HITRUST and SOC 2 certifications evidently did not catch the exploited vulnerability.

5. Implement real-time audit logging with automated anomaly alerting. Every access to historical eligibility records should generate an audit log entry that is shipped to a centralized SIEM and correlated against baseline access patterns.

Alerts should fire on: bulk record access exceeding normal thresholds, access to records outside a provider's patient population, access from unusual geographic locations or at unusual times, and sequential access patterns indicative of automated scraping rather than individual patient lookups.

6. Segment historical data from operational systems and enforce API-level rate limiting. Historical eligibility transaction data should be stored in a separate data tier with its own access controls, encryption at rest, and API gateway enforcement.

Rate limiting on the API serving historical data would have throttled systematic exfiltration. Even without knowing the exact vulnerability, architectural segmentation would have reduced the blast radius from 3.4 million records to a small subset.

TechCrunch, BleepingComputer, The Record (Recorded Future News), SecurityAffairs, Infosecurity Magazine, CPO Magazine, HIPAA Journal, GovInfoSecurity, BankInfoSecurity, SC Media, The Register, Cybersecurity News, CyberPress, TechRadar, Inc., Daily Hodl, Censinet, Defensorum, Netcrook, ClassAction.org, TopClassActions, CyberPress, eSecurity Planet, Prism News, BBN Times, Cascadia Health, MercyOne, Gardner Health Services, San Francisco Community Health Center, Mission Neighborhood Health Center FAQ, Maine Attorney General Office, Oregon Department of Justice, Texas Attorney General Office, Cognizant Investor Relations, Cognizant FY2025 Earnings Release, McDermott Will and Emery (breach counsel), Kroll (tpsincident.kroll.com)