The revenue cycle vendor says unauthorized access to eligibility data went undetected for nearly a year.
TriZetto Provider Solutions has begun notifying certain healthcare provider clients about a cybersecurity incident involving a customer web portal used to access TriZetto systems. According to reporting by Bank Info Security, suspicious activity was identified on October 2, 2025, prompting TriZetto to secure the portal and engage incident response firm Mandiant to investigate. The company said the attacker’s access has been removed and no further unauthorized activity has been detected since that date.
Forensic analysis determined that the unauthorized access began as early as November 2024 and involved historical eligibility transaction reports stored within the TriZetto environment. Those reports contained protected health information belonging to patients of certain provider clients. The data included patient and primary insured names along with demographic and insurance-related information such as addresses, dates of birth, Social Security numbers, health plan identifiers, and Medicare beneficiary numbers in some cases. TriZetto said financial account information was not involved. Between early October and late November 2025, the company reviewed the affected systems to identify impacted data and individuals and prepared client-specific disclosures.
TriZetto stated that it has notified affected healthcare providers and supplied them with copies of the impacted data and lists of affected individuals. The company said it has offered to assist clients with regulatory reporting, patient notifications, and credit monitoring services if required. TriZetto also said it is confident the threat actor has been eradicated and that additional security measures have been implemented following the investigation. The company did not disclose how many provider organizations were affected or the total number of patients involved.
Business associate breaches continue to be a stubborn problem for healthcare organizations, especially when outside vendors maintain eligibility, billing, or claims portals with long data retention periods. As has been true for years, third parties that handle HIPAA-protected health information account for many of the largest incidents reported in 2025. Data published on the HHS Office for Civil Rights website shows 218 breaches involving business associates so far this year, affecting nearly 18.3 million individuals.
They often contain demographic and insurance data that can be reused for fraud, impersonation, or follow-on attacks.
Covered entities must notify affected individuals within sixty days of being informed of a breach by a business associate.
Eligibility portals often host historical data and are accessed intermittently, which can make unusual access patterns harder to identify without focused monitoring.
It lowers certain fraud risks, but exposed identity and insurance information can still be misused.
They can require stronger access logging, regular security assessments, defined data retention limits, and clearer breach response obligations in vendor contracts.