Full Report
TriZetto Provider Solutions (“TPS”) recently experienced a cybersecurity incident that affected certain protected health information of certain of its healthcare provider customers’ patients. TPS provides billing-related services to healthcare providers, such as hospitals, health systems, and physician practices. This notice explains the incident, the measures TPS has taken in response, and the steps individuals can take for further protection. What Happened? On October 2, 2025, TPS became aware of suspicious activity within a web portal that some of TPS’s healthcare provider customers use to access its systems. Upon discovering the incident, TPS quickly launched an investigation and took steps to mitigate the issue. TPS also engaged external cybersecurity experts and notified law enforcement. TPS determined that, beginning in November 2024, an unauthorized actor began accessing some records related to insurance eligibility verification transactions that healthcare providers process to assess insurance coverage for treatment services they provide to patients. A thorough review of the affected data was conducted to identify what information was involved and the individuals to whom the data related.
Analysis Summary
# Incident Report: TriZetto Provider Solutions Healthcare Data Breach
## Executive Summary
TriZetto Provider Solutions (TPS) experienced a cybersecurity incident where an unauthorized actor accessed patient Protected Health Information (PHI) related to insurance eligibility verification transactions. The intrusion began in November 2024, but was only discovered on October 2, 2025, via suspicious activity on a web portal. TPS responded by launching an investigation, engaging experts, notifying law enforcement, and offering affected individuals complimentary identity monitoring services.
## Incident Details
- **Discovery Date:** October 2, 2025
- **Incident Date (Start):** November 2024 (Began accessing records)
- **Affected Organization:** TriZetto Provider Solutions (“TPS”)
- **Sector:** Healthcare Billing Services / Technology Services for Healthcare Providers
- **Geography:** Not explicitly stated (Implied US based on healthcare regulations and state notices)
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning in November 2024
- **Vector:** Unauthorized access into a web portal used by healthcare provider customers.
- **Details:** An unauthorized actor began accessing records related to insurance eligibility verification transactions.
### Lateral Movement
- *Details not explicitly provided in the summary, but implied movement or sustained access occurred leading to data access.*
### Data Exfiltration/Impact
- **Date/Time:** Between November 2024 and October 2, 2025 (duration of unauthorized access).
- **Details:** Access to sensitive PHI and personal identifying information (PII) used for insurance verification. *No financial account data was confirmed affected.*
### Detection & Response
- **Detection:** October 2, 2025, when TPS became aware of suspicious activity within the web portal.
- **Response Actions (Immediate):** Launched an investigation, took steps to mitigate the issue, engaged external cybersecurity experts, and notified law enforcement.
- **Response Actions (Post-Discovery):** Implemented additional security protocols, notified affected providers starting December 9, 2025, and offered identity monitoring services.
## Attack Methodology
- **Initial Access:** Exploitation or compromise of a customer-facing web portal used for accessing TPS systems.
- **Persistence:** *Not explicitly detailed, but sustained access was maintained from November 2024 until detection.*
- **Privilege Escalation:** *Not detailed.*
- **Defense Evasion:** *Not detailed.*
- **Credential Access:** *Implied, as access was gained to a web portal.*
- **Discovery:** *Implied reconnaissance occurred to locate and access eligibility verification records.*
- **Lateral Movement:** *Not detailed.*
- **Collection:** Gathering records associated with insurance eligibility verification transactions.
- **Exfiltration:** *Specific exfiltration methods are not detailed, but data was accessed and reviewed for affected individuals.*
- **Impact:** Compromise of patient PII and PHI.
## Impact Assessment
- **Financial:** Not disclosed (Identity monitoring services offered).
- **Data Breach:** Protected Health Information (PHI) and PII potentially exposed, including: Name, address, date of birth, Social Security number, health insurance member number (potentially Medicare beneficiary identifier), health insurer name, and dependent information. **Financial/Payment Card data was explicitly stated as NOT affected.**
- **Operational:** Required immediate investigation, expert engagement, and notification procedures.
- **Reputational:** Public notification required (Data Breach Notice). No current known fraud reported.
## Indicators of Compromise
*No specific technical IOCs (IPs, hashes, domains) were provided in the summary.*
## Response Actions
- **Containment Measures:** Took immediate steps to mitigate the reported issue upon detection on October 2, 2025, and implemented additional security protocols.
- **Eradication Steps:** Comprehensive investigation conducted by TPS and external cybersecurity experts.
- **Recovery Actions:** Notified affected providers (starting Dec 9, 2025) and offered complimentary identity monitoring services (credit monitoring, fraud consultation, identity restoration) to affected individuals.
## Lessons Learned
- **Detection Lag:** A significant gap existed between the start of unauthorized access (November 2024) and discovery (October 2025), indicating potential issues with real-time monitoring or alerting on the web portal access.
- **Third-Party Access Risk:** Increased vigilance is required for external customer-facing portals that handle sensitive data.
## Recommendations
- Enhance continuous monitoring and anomaly detection specifically on customer web portals and access points.
- Conduct immediate forensic analysis upon detection of suspicious activity, rather than waiting for a full investigation timeline.
- Review and strengthen authentication and authorization mechanisms related to insurance eligibility verification data access.