Cognizant's healthcare IT subsidiary TriZetto Provider Solutions has disclosed a data breach affecting more than 3.4 million patients across the United States. Unauthorized access began in November 2024 and went undetected until October 2025; an 11-month dwell time that allowed attackers sustained access to one of the healthcare industry's most sensitive data pipelines. TriZetto processes insurance eligibility verification, claims management, and revenue cycle operations for health insurers and providers nationwide, meaning the blast radius extends well beyond TriZetto itself to every downstream client whose data flowed through the platform.

What Happened

In November 2024, threat actors gained unauthorized access to TriZetto Provider Solutions' systems. The intrusion was not detected until October 2025; nearly a year later. Breach notifications were subsequently filed and disclosure followed in early 2026.

The 11-month dwell time is the defining feature of this incident. Attackers operating undetected inside a healthcare IT platform for that duration had near-unlimited opportunity to enumerate data, establish persistence, exfiltrate in low-and-slow patterns designed to evade volume-based detection, and potentially pivot to connected systems.

TriZetto serves as a processing intermediary for insurance payers and healthcare providers. Its platforms sit at the intersection of patient identity data, coverage records, and financial claims; making it structurally similar to a clearinghouse. When a clearinghouse is compromised and stays compromised for 11 months, every transaction flowing through it during that period is potentially exposed.

The incident follows the now-familiar pattern of healthcare vendor breaches cascading across the industry: one vendor, many victims. The Change Healthcare ransomware attack in 2024 was the canonical example. TriZetto is the next chapter.

What Was Taken

Based on breach notifications, the exposed data includes:

• Patient identities: full names, dates of birth, Social Security numbers
• Insurance information: member IDs, plan details, payer identifiers
• Medical records data: diagnosis codes, treatment information, provider records
• Financial data: claims information, billing records, revenue cycle data
• Contact information: addresses, phone numbers

3.4 million individuals are confirmed affected. Given the 11-month access window and TriZetto's role as a multi-client platform, the actual scope of organizational exposure likely exceeds the patient count; every health plan and provider organization whose data was processed through TriZetto during the intrusion period should treat their data as potentially compromised.

Healthcare records carry a market premium in the cybercrime economy because unlike financial credentials, they cannot be invalidated. A stolen Social Security number combined with insurance data and medical history creates a fraud vector that persists for years.

Why It Matters

This is a textbook third-party vendor risk failure, and it is not the first in healthcare. The pattern:

1. A vendor processes sensitive data on behalf of dozens or hundreds of healthcare organizations
2. The vendor is breached, often via credentials or unpatched systems
3. The breach goes undetected for months; sometimes over a year
4. Downstream clients discover they are breach victims only after the vendor's disclosure

The precedents are mounting: Change Healthcare (UnitedHealth Group, 2024) disrupted claims processing for weeks and exposed data on a third of Americans. Welltok (2023) affected 8.5 million patients via MOVEit. ConnectOnCall (2024) exposed 900,000 patients. TriZetto adds 3.4 million to that toll.

What makes these incidents disproportionately damaging is the aggregation effect. A single vendor compromise yields data from hundreds of separate healthcare organizations in one operation. Attackers have industrialized this approach; target the vendor, harvest the clients.

For defenders, the critical lesson is that your security posture is only as strong as your weakest vendor. Health plans and providers that contracted TriZetto had no visibility into the intrusion for 11 months. They are now breach victims despite having done nothing wrong internally.

The Attack Technique

The full initial access vector has not been publicly confirmed. However, the November 2024 start date and 11-month dwell time are consistent with several known attack patterns against healthcare vendors:

• Credential compromise via phishing or credential stuffing against remote access infrastructure (VPN, RDP, Citrix)
• Exploitation of unpatched internet-facing systems: a persistent problem in healthcare IT where legacy systems and long patch cycles create exploitable windows
• Third-party supply chain access: attackers gaining entry via a contractor or software dependency with access to TriZetto's environment

The extended dwell time suggests either a sophisticated actor prioritizing stealth over impact, or a significant detection gap in TriZetto's monitoring capability; or both. An 11-month undetected presence in a healthcare IT environment is not a surveillance failure; it is a monitoring architecture failure. Endpoint detection, network anomaly detection, and data loss prevention controls either were not deployed or were not tuned to catch the activity patterns present.

No ransomware deployment has been confirmed, which suggests the objective was data exfiltration rather than operational disruption; consistent with a financially motivated actor targeting high-value healthcare records for resale or fraud enablement.

What Organizations Should Do

1. Audit all TriZetto data flows immediately. If your organization used TriZetto Provider Solutions for any services between November 2024 and October 2025, treat all data processed through those systems as potentially compromised. Inventory what patient and member data was in scope and begin breach notification analysis.

2. Extend vendor risk assessments to include detection capability, not just compliance posture. SOC 2 and HIPAA Business Associate Agreements do not tell you whether a vendor can detect an intrusion within days or within 11 months. Add mean-time-to-detect (MTTD) and incident response capability to your vendor evaluation criteria.

3. Implement continuous monitoring of vendor data access. Where technically feasible, monitor the data you share with vendors; log what is queried, exported, or transmitted. Data governance controls at the source reduce the blast radius when a vendor is compromised.

4. Review and stress-test your Business Associate Agreements. BAAs typically require breach notification within 60 days of discovery. Verify that your BAAs with all healthcare IT vendors include this requirement and define "discovery" precisely; a vendor that takes 11 months to detect a breach and then delays notification compounds the harm.

5. Apply network segmentation to vendor-connected systems. Third-party vendor platforms should not have broad lateral movement capability within your environment. Segment vendor integrations into dedicated network zones with least-privilege access controls and outbound data flow monitoring.

6. Flag affected patient populations for enhanced fraud monitoring. Notify affected individuals promptly and provide credit and identity monitoring services. For insurance payers, flag affected member IDs for anomalous claims activity; insurance fraud using stolen member data typically surfaces within 3–12 months of a breach.

Sources

• Cognizant TriZetto Breach: When a Healthcare Vendor Becomes the Weakest Link