It has been more than four months since TriZetto Provider Solutions discovered unauthorized access to its IT environment, and it has now been confirmed that the protected health information of 3,433,965 individuals was exposed or compromised in the incident. The data breach has recently been added to the HHS’ Office for Civil Rights breach portal, suggesting the data breach investigation and data review have been completed. At more than 3.4 million affected individuals, it ranks as one of the largest healthcare data breaches of 2025.

January 26, 2026: Trizetto Data Breach Victim Count Swells

Based on previous estimates of the scale of the Trizetto data breach, more than 700,000 individuals were thought to have been affected. It is now clear that the data breach was significantly bigger. The Oregon Attorney General has recently been informed that the personal and protected health information of 3,433,965 individuals was exposed or compromised in the incident, plus a further 304 individuals in Trizetto’s capacity as a business associate of Columbia River Health.

Attorneys General in other U.S. states have also received breach notices, although few publicly disclose the number of state residents affected. Two states that do are Texas and South Carolina. The Texas Attorney General was informed that the personal and protected health information of 171,158 Texas residents was compromised in the incident, while South Carolina was informed that 3,562 individuals in the state were affected. Other states that have been notified but have not published the number of affected individuals include California, Massachusetts, New Hampshire, and Vermont. Based on the disclosures to the Oregon, Texas, and New Hampshire Attorneys General alone, the data breach is known to have affected more than 3.6 million individuals, making it one of the largest healthcare data breaches of 2025.

Trizetto has yet to confirm whether the review of the affected data has been completed, and there is currently no Trizetto data breach listed on the HHS’ Office for Civil Rights breach portal. It is not unusual for the number of affected individuals to be increased several times as a data breach investigation and data review progress. For instance, the massive data breach at Change Healthcare in 2024 was first reported as affecting 500 individuals. The total number of affected individuals was updated to 100 million, and the final estimate provided to regulators was 192,700,000 individuals.

While the Trizetto Provider Solutions data breach is unlikely to match the scale of the Change Healthcare data breach, it should be noted that Trizetto handles more than 4 billion payment, enrollment, and claims transactions each year in its capacity as a HIPAA business associate. The data breach could therefore be substantially higher than the 3.6 million individuals currently known to have been affected.

Notification letters have started to be mailed to the affected individuals. The HIPAA Journal has been contacted by individuals who have been confused after receiving a breach notice from Trizetto, as they had no direct dealings with the company. This is a common occurrence when data breaches occur at business associates of HIPAA-covered entities. One California resident claimed the letter she received did not state the name of the healthcare provider that provided Trizetto with her data, which made her question whether the notification letter could be a scam.

January 15, 2026: TriZetto Provider Solutions Issues Data Breach Notifications to HIPAA Covered Entities (Update)

TriZetto Provider Solutions, a Cognizant-owned provider of revenue management services to physicians, hospitals, and health systems, has started notifying certain healthcare clients about a recently identified cybersecurity incident.

On October 2, 2025, suspicious activity was identified within a web portal used by some of its healthcare provider customers to access TriZetto systems. Immediate action was taken to secure the web portal and mitigate the incident, and the cybersecurity firm Mandiant was engaged to investigate the activity, review the security of the web portal application, and ensure that the incident is fully remediated. TriZetto is satisfied that the threat actor has been eradicated from its system. No further unauthorized web portal activity has been detected since October 2, 2025.

While the cybersecurity incident was only recently detected, the unauthorized access has been ongoing for a considerable period of time. The forensic investigation determined that an unauthorized third party first started accessing historical eligibility transaction reports within the TriZetto system in November 2024, almost a year before the unauthorized access was detected. The reports within its storage system contained the protected health information of patients of certain healthcare provider clients.

Between October 2, 2025, and the end of November 2025, Trizetto reviewed the data within the compromised system to determine the types of data involved and the individuals affected. Information compromised in the incident includes the names of patients and primary insureds, in combination with some or all of the following: address, date of birth, Social Security number, health insurance member number (in some cases, Medicare beneficiary number), health insurer name, information about the primary insured or beneficiary, and other demographic health and health insurance information. TriZetto said no financial information was involved.

Notifications have been issued to the affected healthcare clients, who have been provided with a list of the affected individuals and a copy of the affected data. The HIPAA Breach Notification Rule requires notifications to be issued to the affected individuals within 60 days of a HIPAA-covered entity being notified about a data breach at a business associate. Assuming the affected healthcare providers comply with that HIPAA requirement, individual notifications for the affected individuals should be mailed within 60 days.

TriZetto has offered to handle the breach notifications on behalf of the affected clients, should they determine that breach notifications are required under HIPAA. TriZetto has also offered to notify the HHS’ Office for Civil Rights, state regulators, and media outlets on behalf of its covered entity clients, and will also cover the cost of complimentary credit monitoring, fraud consultation, and identity theft restoration services.

It is currently unclear how many of its healthcare provider clients have been affected. Trizetto informed one of the affected clients that the protected health information of more than 700,000 individuals was likely compromised in the attack.

A majority of the affected covered entities are based in California and did not contract with Trizetto as a business associate. Trizetto was a subcontractor used by OCHIN, a provider of HealthIT solutions, workforce, and operational solutions to rural and community health centers. OCHIN was provided with certain patient data as required to perform its contracted services, and OCHIN subcontracted certain functions to TriZetto Provider Solutions. The incident highlights the wide-reaching effects of a cyberattack on a business associate or one of its vendors.

The HIPAA Journal is tracking breach reports, and confirmed data breaches are listed in the table below when each affected entity reports the breach to state attorneys general, the HHS’ Office for Civil Rights, makes a media announcement, or has contacted the HIPAA Journal directly. The list below is not exhaustive.

This post was first published on December 11, 2025, and it will continue to be updated as further information about the TriZetto data breach is released. 

The post Trizetto Data Breach: PHI of 3.4 Million Individuals Exposed appeared first on The HIPAA Journal.