The revenue cycle vendor says unauthorized access to eligibility data went undetected for nearly a year.
What happened
TriZetto Provider Solutions has begun notifying certain healthcare provider clients about a cybersecurity incident involving a customer web portal used to access TriZetto systems. According to reporting by Bank Info Security, suspicious activity was identified on October 2, 2025, prompting TriZetto to secure the portal and engage incident response firm Mandiant to investigate. The company said the attacker’s access has been removed and no further unauthorized activity has been detected since that date.
Going deeper
Forensic analysis determined that the unauthorized access began as early as November 2024 and involved historical eligibility transaction reports stored within the TriZetto environment. Those reports contained protected health information belonging to patients of certain provider clients. The data included patient and primary insured names along with demographic and insurance-related information such as addresses, dates of birth, Social Security numbers, health plan identifiers, and Medicare beneficiary numbers in some cases. TriZetto said financial account information was not involved. Between early October and late November 2025, the company reviewed the affected systems to identify impacted data and individuals and prepared client-specific disclosures.
What was said
TriZetto stated that it has notified affected healthcare providers and supplied them with copies of the impacted data and lists of affected individuals. The company said it has offered to assist clients with regulatory reporting, patient notifications, and credit monitoring services if required. TriZetto also said it is confident the threat actor has been eradicated and that additional security measures have been implemented following the investigation. The company did not disclose how many provider organizations were affected or the total number of patients involved.
The big picture
Business associate breaches continue to be a stubborn problem for healthcare organizations, especially when outside vendors maintain eligibility, billing, or claims portals with long data retention periods. As has been true for years, third parties that handle HIPAA-protected health information account for many of the largest incidents reported in 2025. Data published on the HHS Office for Civil Rights website shows 218 breaches involving business associates so far this year, affecting nearly 18.3 million individuals.
FAQs
Why are eligibility systems attractive targets?
They often contain demographic and insurance data that can be reused for fraud, impersonation, or follow-on attacks.
What responsibilities do healthcare providers have when a vendor is breached?
Covered entities must notify affected individuals within sixty days of being informed of a breach by a business associate.
Why did the intrusion go undetected for so long?
Eligibility portals often host historical data and are accessed intermittently, which can make unusual access patterns harder to identify without focused monitoring.
Does the absence of financial data reduce patient risk?
It lowers certain fraud risks, but exposed identity and insurance information can still be misused.
What steps can providers take to reduce third-party exposure?
They can require stronger access logging, regular security assessments, defined data retention limits, and clearer breach response obligations in vendor contracts.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
