Healthcare IT vendor TriZetto Provider Solutions (TPS), a Cognizant-owned firm that supplies claims management and billing software to hospitals, physician practices, and insurers, has confirmed a breach affecting more than 3.4 million patients. The disclosure, filed with the Office of the Maine Attorney General, traces the incident back to suspicious activity detected in a customer-facing web portal on October 2, 2025.
What Happened
TPS identified anomalous behavior in a web portal used by a subset of its healthcare provider customers in early October 2025. Following detection, the company engaged law enforcement and external security partners to investigate the scope of the intrusion. The breach notification, published via the Maine AG's office, formalizes the impact at over 3.4 million affected individuals. TPS has not publicly named a threat actor, disclosed the initial access vector, or specified whether the incident involved data exfiltration only or extended to ransomware-style impact. The firm states it has implemented additional security controls, though the specifics remain undisclosed despite TPS marketing its platform as SOC 2, EHNAC, and HITRUST certified.
What Was Taken
TPS confirms that no payment card numbers, bank account details, or other financial credentials were exposed. However, the compromised dataset is significant in both volume and sensitivity, including:
- Full names, residential addresses, and dates of birth
- Social Security numbers
- Health insurance member numbers, including Medicare identifiers
- Provider names and health insurer names
- Primary insured information
- Additional demographic, health, and health insurance information
This combination of identifiers, payer data, and protected health information (PHI) is a high-value package for identity theft, medical billing fraud, and synthetic identity creation.
Why It Matters
The TPS incident is another reminder that the healthcare sector's largest exposure is rarely a single hospital, but the upstream IT and claims-processing vendors that aggregate data across thousands of providers. A single web portal compromise at TPS produced a victim count larger than most individual hospital systems serve in a decade. It follows a pattern visible in the Episource breach (5.4M affected) and the broader trend of healthcare clearinghouses becoming concentration risks for PHI. For defenders, the takeaway is that vendor risk management and third-party access controls now carry the same weight as direct perimeter defense, and Cognizant's recurring incident history, including the 2020 Maze ransomware event and the Clorox helpdesk lawsuit, makes its subsidiaries a high-priority watch item.
The Attack Technique
TPS has not disclosed the precise initial access vector. The publicly known facts are limited to the entry point being a customer-facing web portal used by healthcare providers. Plausible vectors consistent with the disclosure include credential abuse against the portal (stolen, phished, or brute-forced provider credentials), exploitation of a web application vulnerability, or a session-handling flaw enabling unauthorized access to claims data. The Cognizant-Clorox litigation is a relevant context point: that intrusion reportedly began with a helpdesk password reset performed without proper identity verification, illustrating how procedural failures around portal and account access have repeatedly shown up in this corporate group.
What Organizations Should Do
Healthcare providers, payers, and any organization integrated with TPS or similar clearinghouses should take the following steps:
- Inventory all integrations with TPS and Cognizant-operated platforms, and request a written incident scope statement covering which portals, datasets, and customer tenants were affected.
- Force credential rotation for all user accounts with access to TPS portals, and require phishing-resistant MFA (FIDO2 / hardware tokens) for any continued access.
- Audit web portal authentication logs for the October 2025 window and the months prior, looking for anomalous logins, session reuse, or impossible-travel events tied to provider accounts.
- Tighten helpdesk identity-proofing procedures for password resets and MFA changes, given the documented social-engineering failures across Cognizant operations.
- Notify affected patients and provide credit and identity monitoring beyond the basic offering, including medical-identity-theft monitoring, given that SSNs and Medicare numbers were exposed.
- Reassess vendor risk tiering for healthcare clearinghouses and claims processors, treating them as Tier 1 critical-data custodians with corresponding contractual breach-notification, audit, and security-control requirements.