Sign in Subscribe
4 min read Articles

TriZetto failed to stop hackers stealing Americans' health data for a year

The health tech giant, which supports 200 million people, said hackers accessed sensitive personal and health data, and is now sending data breach notices.
A long-exposure photo of rainbow light streaming from a keyboard's keys on a dark background.
A long-exposure photo of rainbow light streaming from a keyboard's keys. Image: Adrien / Unsplash

A data breach at a major U.S. health technology company, which handles billions of patient transactions annually, is now coming to light almost a year after hackers first broke into the company's systems.

TriZetto is a health tech giant owned by multinational IT conglomerate Cognizant (yes, that Cognizant), which healthcare providers, doctor's offices, and hospitals use to verify a person's health insurance benefits. The company says it serves 200 million people across 875,000 healthcare providers throughout the United States, and handles more than four billion healthcare-related payments each year. 

As such, TriZetto touches a ton of patient data.

Complicating things, TriZetto has said very little about its data breach so far, including how the hack happened and what circumstances led to its discovery. TriZetto makes no mention on its website that it was hacked.

When reached by email, William Abelson, a spokesperson for TriZetto's parent company Cognizant, reiterated that the company "launched an investigation, took steps to mitigate the issue, and eliminated the threat to the environment," but did not answer specific questions from me about how many individuals are affected and why the breach wasn't detected sooner.

With downstream healthcare providers now starting to notify affected patients about the breach, this is what you should know so far.

On October 2, TriZetto discovered a web portal used by some of its healthcare provider customers had been hacked. The company expelled the hackers from its network on the same day. TriZetto later confirmed that it hired incident response firm Mandiant to investigate, which determined the hackers had access to "eligibility transaction reports" on the company's servers as far back as November 2024.

TriZetto said these reports contained patients' protected health information, and were used for verifying the eligibility of people seeking access to health insurance.

According to a data breach notice sent to one provider, the hackers compromised patients' names and their date of birth, their Social Security number, health insurance member number (which may be a Medicare identifier) and the name of their health insurer, records about the patient's dependents, and reams of other demographic and health insurance-related information.

TriZetto said it had no evidence that the hackers downloaded any data, but also didn't say if it had the technical means (such as log files) to know for sure.

PLEASE SUPPORT THIS NEWSLETTER AND BLOG!

~this week in security~ is my weekly cybersecurity newsletter and blog supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for exclusive articles, analysis and more, including:

How to read and understand a data breach notice

ClickFix attacks are devious, dangerous, and can hack you in an instant

Thousands of North Koreans have secretly infiltrated US and European companies as remote IT workers

It's far too easy to find leaked passports and driver's licenses online

Subscribe to support this newsletter

Two months later on December 9, TriZetto began notifying its affected healthcare provider customers whose patients had information accessed in the breach.

One of the biggest providers is OCHIN, a nonprofit consultancy firm that provides healthcare technology to some 300 rural and community care providers across the United States. This includes hosting and providing access to MyChart electronic health records systems licensed from tech giant Epic, which patients use to log in and access their diagnoses, prescriptions, and medical notes. OCHIN alone serves at least 7.6 million patients through this offering, according to its website.

OCHIN said that over the following days after being notified, TriZetto shared several lists of affected patients, suggesting TriZetto had at least some indication of which patients had data compromised. 

From there, OCHIN — and other healthcare providers and their affiliates who rely on TriZetto — began notifying their downstream customers and partners, and ultimately sending notices to the patients they serve. 

In OCHIN's case, this includes Planned Parenthood of Northern California, the Mission Neighborhood Health Center, and many other healthcare providers across the United States, whose data breach notices are starting to roll in. 

TriZetto told its customers that not every healthcare provider was affected, nor every patient’s information accessed. 

But the number of data breach notifications seen so far suggest at least thousands of people across the U.S. had sensitive personal and health data compromised in the attack, if not more. As of the time of publication, the U.S. Health and Human Services, which keeps track of HIPAA-related data breaches, has not been updated with details about TriZetto's hack.

The true scale of TriZetto's breach is likely to come to light in the coming months as more data breach notifications come in. 

Thank you so much for reading and subscribing to this week in security! I really hope you found this article helpful. If you like it, please share a link on your social media. Please reach out with any feedback, questions, or comments about this article: this@weekinsecurity.com.

You might also like...

08
Jan
'26

ClickFix attacks are increasingly devious, dangerous, and can hack you in an instant

These attacks spoof Windows errors, CAPTCHAs, and real login pages to trick victims into hacking themselves with malware that skirts common cyber defenses.
11 min read
a screenshot of a blue-screen-style windows error, which is actually a ClickFix attack. the text has been slightly blurred for effect.
19
Dec
'25

Apple nuking a customer's account over a bad gift card is a warning for everyone

One long-time Apple customer was left with no recourse after a bad gift card triggered a full account and device lock-out.
2 min read
a photo of an Apple MacBook's computer screen closer-up, displaying the dock on its desktop, in a slightly blue tinted light
12
Dec
'25

Last-minute cybersecurity and privacy gifts your friends and family won't hate

Running out of gift ideas for the security or privacy buff in your life? Here are some thoughtful suggestions, including what tech you might want to avoid.
10 min read
Photo of a programmer's laptop with a red-backlit keyboard, with many energy drinks and holiday twinkly lights, in a darkened room.
06
Dec
'25

I've investigated 'stalkerware' for five years. Here's what I've learned

Stalkerware is a pervasive surveillance used by millions around the world, but these operations keep getting hacked and leaking victims' private phone data.
11 min read
a screenshot showing a Riverside film studio setup, with Zack Whittaker on the left and documentary journalist Daisy Maskell on the right.
26
Nov
'25

Banning TP-Link won't save America from its own terrible cybersecurity

TP-Link routers face a ban in the U.S. over the company's alleged links to China, but shoddy cybersecurity is the real insider threat to the United States.
6 min read
a photo of the back of a TP-Link wireless router