3.4 million hit after TriZetto breach went undetected for nearly a year—now clinics are sending the letters

A major health-care data vendor says hackers had access to sensitive insurance and identity data for months—starting in November 2024—before the company spotted the intrusion on Oct. 2, 2025.

Now TriZetto Provider Solutions, a Cognizant-owned firm that sits deep in the medical billing and insurance “plumbing,” is notifying about 3.43 million people whose information may have been exposed. Many patients are learning about the breach not from TriZetto, but from their doctor’s office or clinic—even when those providers insist their own systems were never hacked.

A back-office vendor breach with front-line fallout

This wasn’t a single hospital with weak defenses getting picked off in isolation. TriZetto operates in the middle of the U.S. health-care payment pipeline, handling eligibility checks and insurance-related transactions that help providers confirm whether a service is covered and under what terms.

The result is a familiar—and maddening—dynamic for patients: your local clinic ends up apologizing for a breach that happened somewhere else, inside a vendor you’ve probably never heard of. And because the access may have begun nearly a year before detection, the notification can feel less like a warning and more like a postscript.

The alleged entry point: a web portal used by providers

TriZetto says the incident centered on a web portal some customers use to access TriZetto-hosted services and data. The company says it detected suspicious activity on Oct. 2, 2025, and secured the portal shortly afterward.

Since then, TriZetto says it has not observed further unauthorized activity on that portal. The immediate response may have been swift—once alarms finally went off.

What data may have been exposed

According to notification letters, the exposed information varies by person but can include names, addresses, dates of birth, Social Security numbers, health insurance member IDs, and in some cases Medicare beneficiary identifiers.

TriZetto also referenced demographic and health-insurance-related information tied to historical eligibility verification transactions—routine administrative records that become highly valuable when bundled together. In the wrong hands, that mix can fuel identity theft, insurance fraud, or medical fraud that can take months to untangle.

Why it may have taken so long to detect

The timeline is the part that raises the hardest questions: TriZetto says the unauthorized access may have started in November 2024, but wasn’t detected until October 2025.

Security experts often point to a few common culprits in long-running intrusions: stolen credentials that look “legitimate,” monitoring that focuses more on preventing data leaks than spotting abnormal behavior, and alert fatigue inside security teams. Another classic tactic is “low and slow”—an attacker quietly pulling small amounts of data over time to blend in with normal portal use.

There’s also the reality of post-incident forensics in health care: determining exactly what was accessed, matching it to affected customers, and then identifying impacted individuals can be painstaking—especially if logs are incomplete or retention is limited.

Clinics say their systems weren’t breached—patients still pay the price

Public notices from providers underscore the ripple effect. Cascadia Health in Portland, Oregon, for example, said roughly 1,800 of its patients were affected, while emphasizing the incident did not occur on Cascadia’s internal systems.

Farmington Valley Dermatology has posted a similar message, saying the breach occurred only on TriZetto systems and that its own electronic health record and cloud systems remained secure.

Other organizations mentioned in public notifications include community clinics such as Gardner Health Services in San Jose, California, and San Francisco Community Health Center. TriZetto has not publicly detailed how many customers were impacted, but reports indicate dozens of providers have acknowledged involvement or issued their own notices.

In some cases, the vendor relationships are layered: TriZetto may be a subcontractor to another “business associate” that supports clinic networks. That chain can slow coordination—and delay the moment a patient finally gets a letter.

HIPAA’s notification chain can slow down warnings

Under HIPAA—the federal health privacy law—vendors like TriZetto are typically considered “business associates,” meaning they handle protected health information on behalf of covered entities such as hospitals, insurers, and clinics.

That structure can create a two-step notification lag: the vendor notifies the covered entities after discovering a breach, then the covered entities notify patients. TriZetto says it began notifying providers on Dec. 9, 2025, and offered to send required notices on providers’ behalf, mailing letters directly to affected individuals at their last known address.

The breach appears on the federal government’s public HIPAA breach tracker at more than 3.43 million affected—an enormous number even in a sector that has grown numb to data incidents. At that scale, the target isn’t a single clinic; it’s a central hub with industrial volumes of data moving through it.

What TriZetto is offering—and what patients can do now

TriZetto is offering free identity monitoring services to affected individuals, including credit monitoring, fraud consultation, and identity restoration support. A dedicated call center is listed in public notices, with business-hour availability in Central Time.

For patients, the risk isn’t just a fraudulent credit card charge. Exposed Social Security numbers and insurance identifiers can be used to open new accounts, redirect mail, or submit medical claims under someone else’s name—problems that can be slow and frustrating to correct in the U.S. health-care system.

Practical steps include monitoring credit reports if you have access, scrutinizing mail from insurers or Medicare for anything that doesn’t match your care, and saving the notification letter for your records. If your Social Security number was included, treat it as a serious exposure even if nothing looks wrong right away—fraud can surface long after the initial breach.

For the industry, the bigger implication is about detection, not just cleanup. Offering monitoring has become standard after a breach. The harder question is whether health-care vendors that sit at the center of billing and eligibility workflows are investing enough in behavioral monitoring and anomaly detection to catch intrusions before they stretch into months—and balloon into millions of affected patients.