Full Report
TriZetto Provider Solutions, a healthcare IT company that develops software and services used by health insurers and healthcare providers, has suffered a data breach that exposed the sensitive information of over 3.4 million people. [...]
Analysis Summary
# Incident Report: TriZetto Provider Solutions Data Breach
## Executive Summary
TriZetto Provider Solutions, a subsidiary of Cognizant, experienced a long-term data breach involving unauthorized access to a web portal used for insurance eligibility verification. The incident resulted in the exposure of sensitive personal and health information (PHI) belonging to over 3.4 million individuals. While the breach began in November 2024, it remained undetected for nearly a year until discovery in October 2025.
## Incident Details
- **Discovery Date:** October 2, 2025
- **Incident Date:** November 19, 2024 – October 2, 2025
- **Affected Organization:** TriZetto Provider Solutions (Cognizant)
- **Sector:** Healthcare IT / Insurance
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** November 19, 2024
- **Vector:** Unauthorized access via a web portal.
- **Details:** Threat actors gained access to a portal used by healthcare providers for insurance eligibility verification transactions.
### Lateral Movement
- **Details:** Not explicitly disclosed; however, the attackers maintained persistent access to the transaction environment for approximately 10.5 months.
### Data Exfiltration/Impact
- **Details:** Attackers accessed records containing sensitive patient data, including Social Security numbers and Medicare identifiers, during the verification of insurance coverage.
### Detection & Response
- **October 2, 2025:** TriZetto detected suspicious activity on the web portal and initiated an investigation.
- **December 9, 2025:** Affected healthcare providers were alerted to the breach.
- **February 2026:** Notification of the ~3.4 million affected individuals began.
- **March 6, 2026:** Formal filing submitted to the Maine Attorney General's office.
## Attack Methodology
- **Initial Access:** Web Portal Vulnerability/Unauthorized Access.
- **Persistence:** Long-term dwelling (nearly one year) within the portal environment.
- **Collection:** Gathering data from insurance eligibility verification transactions.
- **Exfiltration:** Accessing and potentially harvesting PHI and PII.
- **Impact:** Massive data exposure of 3,433,965 individuals.
## Impact Assessment
- **Financial:** Costs associated with 12 months of credit monitoring for 3.4M people; potential regulatory fines.
- **Data Breach:** Exposure of Names, DOBs, SSNs, Medicare IDs, and insurance details.
- **Operational:** Investigation required external cybersecurity experts; delayed notification timeline suggests complex remediation.
- **Reputational:** Significant public impact due to the scale of the breach and the history of security incidents at the parent company (Cognizant).
## Indicators of Compromise
- **Network indicators:** hxxps[://]portal[.]trizettoprovider[.]com (Assumed portal URL - defanged)
- **Behavioral indicators:** Unusual login patterns or high-volume queries for eligibility verification transactions over an extended period.
## Response Actions
- **Containment:** Secured the affected web portal once suspicious activity was identified.
- **Eradication:** Strengthened cybersecurity systems and internal controls.
- **Recovery:** Notified affected providers and individuals; offered 12 months of Kroll identity protection services.
- **Legal:** Informed law enforcement authorities and state Attorneys General.
## Lessons Learned
- **Detection Latency:** A dwell time of 10 months is unacceptable; the organization lacked effective monitoring/alerting on its public-facing portals.
- **Third-Party Risk:** The vulnerability in the eligibility portal affected thousands of downstream healthcare providers.
- **Notification Delay:** There was a significant gap (approx. 4 months) between discovery and individual consumer notification.
## Recommendations
- **Enhanced Monitoring:** Implement Behavioral Analytics (UEBA) to detect abnormal transaction volumes or unusual access times on web portals.
- **Identity & Access Management:** Enforce Multi-Factor Authentication (MFA) for all web portal accounts, especially those handling PII/PHI.
- **Vulnerability Management:** Perform frequent penetration testing and web application firewalls (WAF) tuning for all external-facing insurance tools.
- **Log Retention & Review:** Ensure portal logs are ingested into a SIEM with automated alerts for bulk exports of sensitive data.