Trizetto Data Breach: PHI of 3.4 Million Individuals Exposed
It has been more than four months since TriZetto Provider Solutions discovered unauthorized access to its IT environment, and it has now been confirmed that the protected health information of at least 3,433,965 individuals was exposed or compromised in the incident. The data breach has recently been added to the HHS’ Office for Civil Rights breach portal. At more than 3.4 million affected individuals, it ranks as one of the largest healthcare data breaches to be confirmed this year.
TriZetto identified suspicious activity within its web portal on October 2, 2025. The web portal is used by its clients to access TriZetto systems. TriZetto took immediate action to prevent further unauthorized access to its systems and has not detected any further unauthorized activity since that date. The forensic investigation revealed that the threat actor first gained access to data almost a year before the unauthorized access was detected. The first unauthorized access to records occurred in November 2024. The data breach affected the revenue cycle management side of the business and the compromised records related to insurance eligibility verification transactions, which healthcare providers process to assess insurance coverage for the treatments they provide to patients.
TriZetto learned on or around November 28, 2025, that the impacted data included protected health information such as names, addresses, birth dates, Social Security numbers, health insurance numbers, Medicare beneficiary numbers, provider names, health insurer names, primary insured information, and other types of demographic, health, and health insurance information.
TriZetto started notifying the affected providers on December 9, 2025. Some of the affected healthcare organizations have issued their own breach notices. As further affected clients are identified, The HIPAA Journal has added them to the table at the bottom of this article. The list is based on notices to patients, state attorneys general, and OCR. Clients that have delegated the notification responsibilities to TriZetto are not included in the list. TriZetto has not publicly disclosed which clients were affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While some of the affected healthcare providers had a direct business associate relationship with TriZetto, in some cases, TriZetto was a subcontractor of one of their vendors. For instance, OCHIN Epic, a company that manages electronic health records for healthcare providers, contracted with TriZetto to provide billing services. OCHIN said the TriZetto data breach affected around 9% of the patient population of its member network. According to the OCHIN website, there are more than 7.9 million OCHIN Epic patients, which suggests that around 711,000 OCHIN patients were affected.
January 26, 2026: Trizetto Data Breach Victim Count Swells
Based on previous estimates of the scale of the Trizetto data breach, more than 700,000 individuals were thought to have been affected. It is now clear that the data breach was significantly bigger. The Oregon Attorney General has recently been informed that the personal and protected health information of 3,433,965 individuals was exposed or compromised in the incident, plus a further 304 individuals in Trizetto’s capacity as a business associate of Columbia River Health.
Attorneys General in other U.S. states have also received breach notices, although few publicly disclose the number of state residents affected. Two states that do are Texas and South Carolina. The Texas Attorney General was informed that the personal and protected health information of 171,158 Texas residents was compromised in the incident, while South Carolina was informed that 3,562 individuals in the state were affected. Other states that have been notified but have not published the number of affected individuals include California, Massachusetts, New Hampshire, and Vermont. Based on the disclosures to the Oregon, Texas, and New Hampshire Attorneys General alone, the data breach is known to have affected more than 3.6 million individuals, making it one of the largest healthcare data breaches of 2025.
Trizetto has yet to confirm whether the review of the affected data has been completed, and there is currently no Trizetto data breach listed on the HHS’ Office for Civil Rights breach portal. It is not unusual for the number of affected individuals to be increased several times as data breach investigations and data reviews progress. For instance, the massive data breach at Change Healthcare in 2024 was first reported as affecting 500 individuals. The total number of affected individuals was updated to 100 million, and the final estimate provided to regulators was 192,700,000 individuals.
While the Trizetto Provider Solutions data breach is unlikely to match the scale of the Change Healthcare data breach, it should be noted that Trizetto handles more than 4 billion payment, enrollment, and claims transactions each year in its capacity as a HIPAA business associate. The data breach could therefore be substantially higher than the 3.6 million individuals currently known to have been affected.
Notification letters have started to be mailed to the affected individuals. The HIPAA Journal has been contacted by individuals who have been confused after receiving a breach notice from Trizetto, as they had no direct dealings with the company. This is a common occurrence when data breaches occur at business associates of HIPAA-covered entities. One California resident claimed the letter she received did not state the name of the healthcare provider that provided Trizetto with her data, which made her question whether the notification letter could be a scam.
January 15, 2026: TriZetto Provider Solutions Issues Data Breach Notifications to HIPAA Covered Entities (Update)
TriZetto Provider Solutions, a Cognizant-owned Missouri-based provider of revenue management services to physicians, hospitals, and health systems, and a claims clearinghouse, has started notifying certain healthcare clients about a recently identified cybersecurity incident.
On October 2, 2025, suspicious activity was identified within a web portal used by some of its healthcare provider customers to access TriZetto systems. Immediate action was taken to secure the web portal and mitigate the incident, and the cybersecurity firm Mandiant was engaged to investigate the activity, review the security of the web portal application, and ensure that the incident is fully remediated. TriZetto is satisfied that the threat actor has been eradicated from its system. No further unauthorized web portal activity has been detected since October 2, 2025.
While the cybersecurity incident was only recently detected, the unauthorized access has been ongoing for a considerable period of time. The forensic investigation determined that an unauthorized third party first started accessing historical eligibility transaction reports within the TriZetto system in November 2024, almost a year before the unauthorized access was detected. The reports within its storage system contained the protected health information of patients of certain healthcare provider clients.
Between October 2, 2025, and the end of November 2025, Trizetto reviewed the data within the compromised system to determine the types of data involved and the individuals affected. Information compromised in the incident includes the names of patients and primary insureds, in combination with some or all of the following: address, date of birth, Social Security number, health insurance member number (in some cases, Medicare beneficiary number), health insurer name, information about the primary insured or beneficiary, and other demographic health and health insurance information. TriZetto said no financial information was involved.
Notifications have been issued to the affected healthcare clients, who have been provided with a list of the affected individuals and a copy of the affected data. The HIPAA Breach Notification Rule requires notifications to be issued to the affected individuals within 60 days of a HIPAA-covered entity being notified about a data breach at a business associate. Assuming the affected healthcare providers comply with that HIPAA requirement, individual notifications for the affected individuals should be mailed within 60 days.
TriZetto has offered to handle the breach notifications on behalf of the affected clients, should they determine that breach notifications are required under HIPAA. TriZetto has also offered to notify the HHS’ Office for Civil Rights, state regulators, and media outlets on behalf of its covered entity clients, and will also cover the cost of complimentary credit monitoring, fraud consultation, and identity theft restoration services.
It is currently unclear how many of its healthcare provider clients have been affected. Trizetto informed one of the affected clients that the protected health information of more than 700,000 individuals was likely compromised in the attack.
A majority of the affected covered entities are based in California and did not contract with Trizetto as a business associate. Trizetto was a subcontractor used by OCHIN, a provider of HealthIT solutions, workforce, and operational solutions to rural and community health centers. OCHIN was provided with certain patient data as required to perform its contracted services, and OCHIN subcontracted certain functions to TriZetto Provider Solutions. The incident highlights the wide-reaching effects of a cyberattack on a business associate or one of its vendors.
The HIPAA Journal is tracking breach reports, and confirmed data breaches are listed in the table below when each affected entity reports the breach to state attorneys general, the HHS’ Office for Civil Rights, makes a media announcement, or has contacted the HIPAA Journal directly. The list below is not exhaustive.
| Affected Entity | State | Nature of Relationship | Affected Individuals |
| Adapt Integrated Healthcare | Oregon | TriZetto was a subcontractor of business associate OCHIN | 2,908 |
| Asian Americans for Community Involvement | California | TriZetto was a subcontractor of business associate OCHIN | 521 |
| Axis Community Health | California | TriZetto was a subcontractor of business associate OCHIN | 3,579 |
| Baltimore City Health Department | Maryland | TriZetto was a subcontractor of business associate OCHIN | 2,597 |
| Bay Area Community Health | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| Benton County Health | Oregon | Business associate | 1,476 |
| Best Care | Oregon | Business associate | 1,650 |
| Cascadia Health | Oregon | Business associate | 1,800 |
| CE-Edinger Medical Group | California | Unknown | Unconfirmed |
| Chattanooga C.A.R.E.S. d/b/a Cempa Community Care | Tennessee | TriZetto was a subcontractor of business associate OCHIN | 1,341 |
| Coastal Skin Surgery & Dermatology | Florida | Business associate | 6,173 |
| Colorado Allergy & Asthma Centers | Colorado | Business associate | 2,063 |
| Columbia River Health | Oregon | Business associate | 304 |
| Deschutes County Health Services | Oregon | Business associate | 1,305 |
| Erie Family Health Centers | Illinois | Business associate | Unconfirmed |
| Friends of Family Health Center | California | TriZetto was a subcontractor of business associate OCHIN | 2,256 |
| Gardner Health Services | California | Business associate | 6,197 |
| Harmony Health Medical Clinic and Family Resource Center | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| Houston Health Department | Texas | Business associate | 7,445 |
| Indian Health Center of Santa Clara Valley | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| Ko-Kwel Wellness Center | Oregon | TriZetto was a subcontractor of business associate OCHIN | 543 |
| La Clinica de la Raza | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| La Pine Community Healthcare Center | Oregon | Business associate | 1,190 |
| Lifelong Medical Care | California | Business associate | 70,000 |
| Lynn Community Health | Massachusetts | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| Mendocino Community Health Clinic | California | TriZetto was a subcontractor of business associate OCHIN | 3,538 |
| Mission Neighborhood Health Center | California | TriZetto was a subcontractor of business associate OCHIN | 3,741 |
| Native American Health Center | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| OLE Health (dba CommuniCare + OLE) | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| One Community Health | California | TriZetto was a subcontractor of business associate OCHIN | 4,309 |
| Open Door Community Health Centers | California | TriZetto was a subcontractor of business associate OCHIN | 6,633 |
| Pafford Medical Services (Pafford EMS) | Arkansas | Business associate | 1,000 |
| Petaluma Health Center | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| Planned Parenthood Northern California | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| Share Ourselves | California | Business associate | 2,864 |
| San Francisco Community Health Center | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| Riverland Community Health | Minnesota | Business associate | 940 |
| Santa Barbara County Health Department | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| Santa Cruz Community Health | California | TriZetto was a subcontractor of business associate OCHIN | 1,487 |
| Santa Rosa Community Health Centers | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| Terry Reilly Health Services (Community Health Clinics Inc.) | Idaho | TriZetto was a subcontractor of business associate OCHIN | 5,421 |
| Tiburcio Vasquez Health Center | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
| Utah Valley Pediatrics | Utah | TriZetto was a subcontractor of business associate OCHIN | 9,958 |
| Valley Family Health Care | California | Business associate OCHIN | 4,300 |
| Variety Care | Oklahoma | Business associate | 17,163 |
| Winters Healthcare | California | TriZetto was a subcontractor of business associate OCHIN | Unconfirmed |
This post was first published on December 11, 2025, and it will continue to be updated as further information about the TriZetto data breach is released.
