The revenue cycle vendor says patient eligibility data was accessed for months before detection.
TriZetto Provider Solutions, a Cognizant-owned healthcare technology vendor, has begun notifying certain provider clients about a cybersecurity incident involving a customer web portal. TriZetto said suspicious activity was identified on October 2, 2025, and the portal was secured the same day. A forensic investigation later determined that an unauthorized party had accessed historical eligibility transaction reports as far back as November 2024. The exposed data included patient and primary insured information tied to specific provider clients.
The investigation found that the attacker accessed stored eligibility reports rather than real-time transaction systems. The compromised data included patient and insured names along with demographic and insurance details such as addresses, dates of birth, Social Security numbers in some cases, member identifiers, insurer names, and related coverage information. TriZetto said no payment card or banking data was involved. After identifying the scope of exposure, the company reviewed affected records through November 2025 and provided impacted healthcare providers with lists of affected individuals and copies of the data involved. TriZetto also engaged Mandiant to support containment, eradication, and security review efforts, and stated that no further unauthorized access has been detected since the portal was secured.
The full scope of the incident has not yet been disclosed, and it remains unclear how many healthcare organizations were ultimately impacted. However, the fact that the environment was compromised for approximately 11 months suggests the exposure could be extensive. Healthcare providers that have publicly confirmed involvement to date include:
• CE-Edinger Medical Group (California)
• Friends of Family Health Center (California)
• Gardner Health Services (California – 6,197 individuals)
• Harmony Health Medical Clinic and Family Resource Center (California)
• La Clinica de la Raza (California; TriZetto acted as a subcontractor to business associate OCHIN)
• Lifelong Medical Care (California)
• Lynn Community Health (Massachusetts)
• Mission Neighborhood Health Center (California – 3,741 individuals)
• Native American Health Center (California)
• One Community Health (California – 4,309 individuals; TriZetto subcontracted via OCHIN)
• Open Door Community Health Centers (California)
• Planned Parenthood Northern California (TriZetto subcontracted via OCHIN)
• Share Ourselves (California – 2,864 individuals)
• San Francisco Community Health Center (California)
• Santa Barbara County Health Department (California; TriZetto subcontracted via OCHIN)
• Santa Rosa Community Health Centers (California; TriZetto subcontracted via OCHIN)
• Variety Care (Oklahoma – 17,163 individuals)
In notification letters sent to affected patients, TriZetto Provider Solutions described the incident as a vendor-side compromise involving a customer web portal. The notice states that “on October 2, 2025, TPS became aware of suspicious activity within a web portal that some of TPS’s healthcare provider customers use to access its systems.”
According to the letter, “TPS quickly launched an investigation and took steps to mitigate the issue,” and “engaged external cybersecurity experts and notified law enforcement.” TriZetto later determined that “beginning in November 2024, an unauthorized person began accessing some records related to insurance eligibility verification transactions” used by healthcare providers.
The notice says TriZetto has since “eliminated the threat to the environment” and “implemented and is continuing to implement additional security protocols designed to enhance the security of its services.” It also states that, at the time of notification, “We are not aware of any identity theft or fraud related to the use of any affected individual’s information.”
Third-party breaches continue to be a stubborn problem for healthcare organizations, especially when vendors operate eligibility, billing, or claims systems that retain sensitive data for long periods. As in prior years, business associates that handle HIPAA-protected information were tied to many of the largest incidents reported last year. An example was the Change Healthcare ransomware attack, a third-party breach that ultimately affected roughly 193 million individuals, ranking it among the largest healthcare data breaches ever reported.
The scale of that incident indicates a pattern. In its 2025 cybersecurity year review, the American Hospital Association reported that more than 80% of stolen protected health information records were taken from third-party vendors, software services, business associates, and non-hospital entities, rather than directly from hospitals themselves. The data reinforces how deeply vendor relationships shape breach exposure across the healthcare sector.
They can contain identifiers, insurance information, and coverage details that link individuals to healthcare services, even without clinical records.
The activity involved access to stored reports rather than system disruption, which can be harder to detect without detailed audit logging and anomaly monitoring.
Under HIPAA, covered entities retain responsibility for patient notification, although business associates may assist or act on their behalf.
It lowers the risk of direct financial fraud, but exposed identifiers and insurance details can still be misused for identity or medical fraud.
They should review the affected data, assess notification obligations, coordinate regulatory reporting, and assess whether vendor access controls and monitoring require updates.