Active breach tracker Missouri Disclosed February 6, 2026 Part of TriZetto / Cognizant cluster

TriZetto Provider Solutions Breach 2026 (Cognizant): 3.4M Patients Exposed. What Was Stolen and What To Do

The TriZetto Provider Solutions data breach, disclosed February 2026, exposed Social Security numbers, Medicare Beneficiary IDs, and health insurance data for 3,433,965 Americans across 44+ downstream healthcare providers. If you received a notification letter from TriZetto, Kroll, or any provider naming TriZetto, here is what was taken and what to do.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Nov 19, 2024

Unauthorized access began

Oct 2, 2025

Suspicious activity detected; Mandiant engaged

Dec 9, 2025

Provider customers notified

Feb 6, 2026

Filed with HHS OCR; individual letters mailed

Mar 13, 2026

First federal class action filed (Madoff v. Cognizant)

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

03

Contact & insurance

Phishing + targeted scams

Full name Home address Health insurance member number Medicare Beneficiary Identifier Health insurer name Provider name Primary insured / dependent info

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Wolf Popper Lynch Carpenter Strauss Borrelli Kopelowitz Ostrow Federman & Sherwood Barnow & Associates
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

TriZetto Provider Solutions is a healthcare-claims and insurance-eligibility-verification clearinghouse owned by Cognizant Technology Solutions. It sits in the middle of US healthcare payments: when a provider verifies whether a patient’s insurance covers a service, that transaction often passes through TriZetto’s systems. The company serves dozens of healthcare providers, federally qualified health centers, hospital systems, and the OCHIN network of community health clinics.

On October 2, 2025, TriZetto detected suspicious activity inside a customer-facing web portal that its healthcare-provider clients use to access historical insurance eligibility transaction records. The forensic investigation that followed, led by Mandiant, traced the unauthorized access back to November 19, 2024. The attacker spent close to eleven months inside the system before detection.

TriZetto notified its healthcare-provider customers on December 9, 2025, gave them time to identify their affected patients, and then filed with the US Department of Health and Human Services Office for Civil Rights on February 6, 2026. The filing confirmed 3,433,965 individuals were affected. State attorneys general in Oregon, Texas, California, Massachusetts, New Hampshire, Vermont, Maine, and South Carolina received parallel filings.

Because TriZetto is a business associate, most affected individuals have no direct relationship with TriZetto itself. If you received care from any provider that uses TriZetto for eligibility verification, or from any health center in the OCHIN network, your records may have been in the system the attacker accessed.

What was stolen

The forensic investigation confirmed the compromised records contained:

  • Full name
  • Date of birth
  • Home address
  • Social Security number
  • Health insurance member number
  • Medicare Beneficiary Identifier (for affected Medicare enrollees)
  • Health insurer name
  • Provider name
  • Primary insured and dependent information

Notification letters explicitly state that payment card, bank account, and financial information were not in the compromised dataset. The exposure is identity-fraud and medical-identity-fraud shaped, not credit-card shaped.

The combination of SSN plus Medicare Beneficiary Identifier is particularly serious for older adults. The Medicare ID gives a fraudster the key to file false claims under your Medicare coverage, which is harder to detect than a fraudulent credit-card charge because the explanation-of-benefits arrives in the mail weeks later.

Who is affected (downstream providers)

TriZetto provides eligibility-verification infrastructure to at least 44 downstream covered entities, with industry estimates closer to 54+ once the full OCHIN subcontractor chain is accounted for. Named downstream entities include:

  • OCHIN (community health network covering ~9% of its ~711,000 Epic patients)
  • Open Door Community Health Centers (Oregon)
  • LifeLong Medical Care
  • San Francisco Community Health Center
  • Asian Americans for Community Involvement (AACI)
  • Planned Parenthood Northern California
  • Gardner Health Services
  • Mission Neighborhood Health Center
  • One Community Health
  • Variety Care
  • Columbia River Health
  • Cascadia Health
  • Lynn Community Health Center
  • MercyOne
  • Norman Regional Health System
  • Native American Health Center
  • La Clinica de la Raza
  • Shoreline Orthopaedics
  • Utah Valley Pediatrics

Many additional federally qualified health centers and provider groups have published notices on their own websites. If you received care at any FQHC in the OCHIN network between 2024 and 2025, you may be included even if no provider has contacted you directly yet.

What TriZetto is offering

Affected individuals are being directed to Kroll (call center: 844-572-2725; enrollment site: tpsincident.kroll.com) for 12 months of complimentary credit monitoring, single-bureau, plus a credit report, credit score, fraud consultation, and identity-theft restoration services. Enrollment deadlines vary by letter cohort but generally run through May or August 2026.

Credit monitoring catches new credit accounts opened in your name. It does not stop your Medicare Beneficiary Identifier from being used to file false healthcare claims, and it does not stop your health information from being sold downstream to data brokers.

What to do if you received a notification letter

This week:

  1. Accept the Kroll credit monitoring. Twelve months is shorter than typical and there is no extension yet announced, so use the full window.
  2. Place a free credit freeze at Equifax, Experian, and TransUnion.
  3. File IRS Form 14039 to prevent a fraudulent tax return under your SSN.
  4. If you are a Medicare beneficiary, also call 1-800-MEDICARE and ask for a new Medicare Beneficiary Identifier. Medicare will issue a replacement card; the old MBI gets flagged for fraud monitoring.
  5. Review Explanation of Benefits (EOB) statements from your health insurer for any services you did not receive.

This month:

  1. Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the demographic and insurance data exposed in this breach is not continuously re-shared and sold by other entities downstream.
  2. Check whether you also received care from an OCHIN-network FQHC. If you did, OCHIN’s notice at ochin.org/news/trizetto-third-party-breach may apply to you separately, and the affected patient list there is still expanding as downstream providers complete their reviews.

Frequently asked questions

How do I know if I am affected?

If you received care at any of the 44+ downstream providers listed above (or any OCHIN-network health center), and if your health insurance was billed through TriZetto’s eligibility-verification system between late 2024 and October 2025, you are likely affected. Notification letters are being mailed in waves. Not having received one yet does not mean you are excluded.

Why is the time between the attack and notification so long?

The attacker had access from November 2024 but the activity was not detected until October 2025. TriZetto then needed several months to identify which downstream providers had affected patients and which specific records were exposed. By federal law, covered entities must notify within 60 days of determining who is affected, not within 60 days of the incident itself.

Was a ransomware group involved?

No group has publicly claimed responsibility, and TriZetto has not attributed the intrusion. No data from this incident has been observed on dark-web leak sites tied to the TriZetto compromise itself. (A separate “Insomnia” leak listing for Valley Family Health Care is treated by reporters as a related but distinct downstream incident.)

Should I sue?

At least four named federal class actions have been filed, and the cases have been consolidated in In re TriZetto Provider Solutions Data Security Breach Litigation, 4:25-cv-01861 (E.D. Mo.). Multiple plaintiffs’ firms are accepting affected individuals. We are not a law firm and cannot give legal advice. Speak to your own attorney or one of the firms listed in the structured Quick Facts above.

Is HealthConsent affiliated with TriZetto, Cognizant, or Kroll?

No. HealthConsent is an independent health-data privacy service. We are not a customer, partner, or affiliate of any party named on this page.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.