An almost year-long data breach at TriZetto Provider Solutions (TPS) has leaked the sensitive health data of 3.4 million individuals.
Cognizant-owned TriZetto provides billing systems for healthcare providers and health technology systems operators. It serves over 200 million Americans across over 800,000 health facilities.
In early October 2025, the health IT firm discovered the breach after detecting suspicious activity on its web portal.
“On October 2, 2025, TPS became aware of suspicious activity within a web portal that some of TPS’s healthcare provider customers use to access our systems,” it stated.
It responded by launching an investigation with the help of external cybersecurity experts and notifying law enforcement.
TriZetto confirms massive health data breach
The company’s probe determined that since November 2024, the attacker had accessed documents used by healthcare providers for insurance verification.
“TPS determined that, beginning in November 2024, an unauthorized actor began accessing some records related to insurance eligibility verification transactions that healthcare providers process to assess insurance coverage for treatment services they provide to patients,” the company said.
While the compromised information varied by individual, it included full names, physical addresses, dates of birth, and Social Security Numbers. The data breach also leaked health insurance numbers, Medicare beneficiary IDs, health provider names, insurer names, and demographic, health, and insurance information.
According to a data breach notification filed with the Office of the Maine Attorney General, the data breach affected 3,433,965 people, including 1,128 Maine residents.
However, the health data breach did not leak credit card numbers or bank account information. So far, TriZetto believes the attacker has not leaked or misused the stolen information for fraud or identity theft.
Usually, cybercriminals publish the stolen information on underground data leak sites when the breached organization refuses to pay a ransom. TriZetto has not indicated whether it has received ransom demands or whether it would pay.
Meanwhile, the health IT firm has notified both impacted providers and patients and applied additional mitigations to prevent further compromise and enhance the security of its systems. So far, the company also believes the threat was terminated successfully.
Additionally, TPS is offering 12 months of Kroll Single-bureau credit monitoring and identity theft protection to protect the victims’ health data from misuse by cybercriminals.
At the time of publication, TriZetto has not revealed the identity of the attacker, and no cybercrime gang has taken responsibility for the health data breach.
“A detection gap of nearly a year is an unacceptable failure of TriZetto’s information security program,” said Damon Small, Board of Directors, Xcape. “This incident proves that non-clinical administrative data is being treated as a secondary priority despite it being a primary target for long-term identity exploitation.”
“Defenders must move beyond perimeter defense to implement aggressive egress filtering and anomaly detection that identifies unauthorized data staging within provider-facing environments. If your ‘secure’ portal can leak data for 327 days without triggering a single alert, then your monitoring strategy is functionally non-existent,” added Small.
Cybercriminals continue to target the healthcare sector
Health data is highly sought after in cybercrime marketplaces because its sensitivity makes breached organizations more willing to pay the ransom to avoid exposing their patients’ health records.
In February 2024, a ransomware attack on Change Healthcare, an insurance and billing provider, leaked the personal and health data of 192 million people, making it the largest healthcare breach in American history.
Similarly, McLaren Health Care, a fully integrated health care delivery system of 15 hospitals, also suffered a Maze ransomware attack between July 28 and August 23, 2023, exposing 2.2 million people.
In 2020, Trizetto’s parent company, Cognizant, was hit by a Maze Ransomware attack, which disrupted services and potentially leaked patient data.
