More Than 3.4 Million Individuals Affected by TriZetto Provider Solutions Data Breach

A data breach at TriZetto Provider Solutions has affected more than 3.4 million individuals, according to a breach notice submitted to the Oregon Attorney General. TriZetto Provider Solutions is a HIPAA business associate that provides revenue management services to health systems, hospitals, and physician practices. The Oregon Attorney General’s website states that 3,433,965 individuals have been affected, while the Texas Attorney General’s website shows 171,158 Texas residents had data exposed in the incident.

The Cognizant-owned company said it detected suspicious activity within a web portal on October 2, 2025. The portal is used by some of its healthcare provider clients to access TriZetto’s systems, which contain patients’ protected health information. Immediate action was taken to secure the web portal, and no unauthorized activity has been detected within the web portal since it was secured on October 2, 2025.

TriZetto has reviewed the exposed data and notified the affected clients, who have been notifying the HHS’ Office for Civil Rights individually about the data breach. In some cases, TriZetto was not directly engaged with some of the affected healthcare providers. For instance, TriZetto was a subcontractor of OCHIN, a business associate of many of the affected healthcare providers.

Most of the affected HIPAA-covered entity clients have reported that relatively small numbers of their patients were affected – a few hundred to the low thousands; however, those figures add up to more than 3 million. Most of the clients who have notified OCR that they have been affected are based in California, although state Attorneys General across the country have been informed thaat some of their state residents have been affected.

When a data breach occurs at a business associate of a HIPAA-covered entity, the HIPAA Breach Notification Rule requires the business associate to notify each affected covered entity within 60 days of the discovery of a data breach, and then there is a further 60 days for the covered entity to ensure that notification letters are issued. That responsibility may be delegated to the business associate. That means that individuals affected by business associate data breaches may have to wait twice as long to be notified as, say, a data breach at a healthcare provider.

More than four months have passed since the data breach was detected by TriZetto, so notification letters should have now been mailed to the affected individuals. The data potentially compromised in the incident varies from individual to individual and may include names, addresses, dates of birth, Social Security numbers, health insurance member numbers, Medicare Beneficiary numbers, demographic health, and health insurance information.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

While individual healthcare providers have notified OCR about the data breach, TriZetto offered to mail notification letters to the affected individuals on behalf of its covered entity clients. They will receive a notification letter from TriZetto, a company with which they have had no dealings with, as they would most likely be unaware that TriZetto was working with their healthcare provider. The affected individuals have been offered complimentary credit monitoring and identity theft protection services, and while there has been no known misuse of individuals’ data as a result of the data breach, individuals who are offered those services should sign up for them to protect themselves against data misuse.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/