Missouri-based TriZetto, a major healthcare technology company, has disclosed that there has been a data breach that could have affected as many as 3.4 million people. The exact number of 3,433,965 was revealed in a filing with the Maine Attorney General.
Apparently, the breach started in November 2024 and was not detected until October 2nd, 2025. Things exploded when the company noticed suspicious activity in the web portal used by some healthcare provider customers.
Subsequently, the company announced the loss of sensitive patient and insurance data. The data breach included names, dates of birth, social security numbers, and health insurance member numbers. Additionally, the compromised information involved provider names, health insurance plan names, primary insured details, and various other demographic, health, and health insurance-related information.
The company reassured that banking details and financial information were not leaked during this time. The organisation is currently unaware of any identity theft or fraud linked to this breach, but acknowledges the possibility of this information surfacing on the dark web many years later.
The individuals affected have been reached out to, and TriZetto is offering free identity theft and credit monitoring services through Kroll to mitigate any backlash.
Healthcare organisations such as OCHIN (a non-profit supporting rural and community health providers) have confirmed that their patient information was leaked.
It is important to note that TriZetto was acquired by Cognizant, a global IT business process service company. They acquired TriZetto in September 2014 for USD 2.7 billion.
Cognizant is working to contain the situation, claiming that threat actors were eliminated from its environment and no unauthorised access has been detected since.
The company has hired Mandiant, a major cybersecurity firm, for forensic investigations and to help close security gaps. It’s important to note that Cognizant is already defending multiple class action lawsuits in the United States in federal courts for negligence in safeguarding data, delayed notification, and inadequate security measures.