TriZetto Provider Solutions Breach 2026 (Cognizant): 3.4M Patients Exposed. What Was Stolen and What To Do
The TriZetto Provider Solutions data breach, disclosed February 2026, exposed Social Security numbers, Medicare Beneficiary IDs, and health insurance data for 3,433,965 Americans across 44+ downstream healthcare providers. If you received a notification letter from TriZetto, Kroll, or any provider naming TriZetto, here is what was taken and what to do.
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Nov 19, 2024
Unauthorized access began
Oct 2, 2025
Suspicious activity detected; Mandiant engaged
Dec 9, 2025
Provider customers notified
Feb 6, 2026
Filed with HHS OCR; individual letters mailed
Mar 13, 2026
First federal class action filed (Madoff v. Cognizant)
Nov 19, 2024
Unauthorized access began
Oct 2, 2025
Suspicious activity detected; Mandiant engaged
Dec 9, 2025
Provider customers notified
Feb 6, 2026
Filed with HHS OCR; individual letters mailed
Mar 13, 2026
First federal class action filed (Madoff v. Cognizant)
Data exposed
01
High-risk identity
Enables financial + identity theft
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
TriZetto Provider Solutions is a healthcare-claims and insurance-eligibility-verification clearinghouse owned by Cognizant Technology Solutions. It sits in the middle of US healthcare payments: when a provider verifies whether a patient’s insurance covers a service, that transaction often passes through TriZetto’s systems. The company serves dozens of healthcare providers, federally qualified health centers, hospital systems, and the OCHIN network of community health clinics.
On October 2, 2025, TriZetto detected suspicious activity inside a customer-facing web portal that its healthcare-provider clients use to access historical insurance eligibility transaction records. The forensic investigation that followed, led by Mandiant, traced the unauthorized access back to November 19, 2024. The attacker spent close to eleven months inside the system before detection.
TriZetto notified its healthcare-provider customers on December 9, 2025, gave them time to identify their affected patients, and then filed with the US Department of Health and Human Services Office for Civil Rights on February 6, 2026. The filing confirmed 3,433,965 individuals were affected. State attorneys general in Oregon, Texas, California, Massachusetts, New Hampshire, Vermont, Maine, and South Carolina received parallel filings.
Because TriZetto is a business associate, most affected individuals have no direct relationship with TriZetto itself. If you received care from any provider that uses TriZetto for eligibility verification, or from any health center in the OCHIN network, your records may have been in the system the attacker accessed.
What was stolen
The forensic investigation confirmed the compromised records contained:
- Full name
- Date of birth
- Home address
- Social Security number
- Health insurance member number
- Medicare Beneficiary Identifier (for affected Medicare enrollees)
- Health insurer name
- Provider name
- Primary insured and dependent information
Notification letters explicitly state that payment card, bank account, and financial information were not in the compromised dataset. The exposure is identity-fraud and medical-identity-fraud shaped, not credit-card shaped.
The combination of SSN plus Medicare Beneficiary Identifier is particularly serious for older adults. The Medicare ID gives a fraudster the key to file false claims under your Medicare coverage, which is harder to detect than a fraudulent credit-card charge because the explanation-of-benefits arrives in the mail weeks later.
Who is affected (downstream providers)
TriZetto provides eligibility-verification infrastructure to at least 44 downstream covered entities, with industry estimates closer to 54+ once the full OCHIN subcontractor chain is accounted for. Named downstream entities include:
- OCHIN (community health network covering ~9% of its ~711,000 Epic patients)
- Open Door Community Health Centers (Oregon)
- LifeLong Medical Care
- San Francisco Community Health Center
- Asian Americans for Community Involvement (AACI)
- Planned Parenthood Northern California
- Gardner Health Services
- Mission Neighborhood Health Center
- One Community Health
- Variety Care
- Columbia River Health
- Cascadia Health
- Lynn Community Health Center
- MercyOne
- Norman Regional Health System
- Native American Health Center
- La Clinica de la Raza
- Shoreline Orthopaedics
- Utah Valley Pediatrics
Many additional federally qualified health centers and provider groups have published notices on their own websites. If you received care at any FQHC in the OCHIN network between 2024 and 2025, you may be included even if no provider has contacted you directly yet.
What TriZetto is offering
Affected individuals are being directed to Kroll (call center: 844-572-2725; enrollment site: tpsincident.kroll.com) for 12 months of complimentary credit monitoring, single-bureau, plus a credit report, credit score, fraud consultation, and identity-theft restoration services. Enrollment deadlines vary by letter cohort but generally run through May or August 2026.
Credit monitoring catches new credit accounts opened in your name. It does not stop your Medicare Beneficiary Identifier from being used to file false healthcare claims, and it does not stop your health information from being sold downstream to data brokers.
What to do if you received a notification letter
This week:
- Accept the Kroll credit monitoring. Twelve months is shorter than typical and there is no extension yet announced, so use the full window.
- Place a free credit freeze at Equifax, Experian, and TransUnion.
- File IRS Form 14039 to prevent a fraudulent tax return under your SSN.
- If you are a Medicare beneficiary, also call 1-800-MEDICARE and ask for a new Medicare Beneficiary Identifier. Medicare will issue a replacement card; the old MBI gets flagged for fraud monitoring.
- Review Explanation of Benefits (EOB) statements from your health insurer for any services you did not receive.
This month:
- Stop the ongoing flow of your health data. HealthConsent files HIPAA restriction requests and Health Information Exchange opt-outs across providers, insurers, HIEs, and prescription networks so the demographic and insurance data exposed in this breach is not continuously re-shared and sold by other entities downstream.
- Check whether you also received care from an OCHIN-network FQHC. If you did, OCHIN’s notice at
ochin.org/news/trizetto-third-party-breachmay apply to you separately, and the affected patient list there is still expanding as downstream providers complete their reviews.
Frequently asked questions
How do I know if I am affected?
If you received care at any of the 44+ downstream providers listed above (or any OCHIN-network health center), and if your health insurance was billed through TriZetto’s eligibility-verification system between late 2024 and October 2025, you are likely affected. Notification letters are being mailed in waves. Not having received one yet does not mean you are excluded.
Why is the time between the attack and notification so long?
The attacker had access from November 2024 but the activity was not detected until October 2025. TriZetto then needed several months to identify which downstream providers had affected patients and which specific records were exposed. By federal law, covered entities must notify within 60 days of determining who is affected, not within 60 days of the incident itself.
Was a ransomware group involved?
No group has publicly claimed responsibility, and TriZetto has not attributed the intrusion. No data from this incident has been observed on dark-web leak sites tied to the TriZetto compromise itself. (A separate “Insomnia” leak listing for Valley Family Health Care is treated by reporters as a related but distinct downstream incident.)
Should I sue?
At least four named federal class actions have been filed, and the cases have been consolidated in In re TriZetto Provider Solutions Data Security Breach Litigation, 4:25-cv-01861 (E.D. Mo.). Multiple plaintiffs’ firms are accepting affected individuals. We are not a law firm and cannot give legal advice. Speak to your own attorney or one of the firms listed in the structured Quick Facts above.
Is HealthConsent affiliated with TriZetto, Cognizant, or Kroll?
No. HealthConsent is an independent health-data privacy service. We are not a customer, partner, or affiliate of any party named on this page.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- Kroll: TriZetto Provider Solutions Substitute Notice
- HIPAA Journal: TriZetto Provider Solutions Data Breach
- HIPAA Journal: February 2026 Healthcare Data Breach Report
- OCHIN: TriZetto Third-Party Breach Notice
- Maine Attorney General: TriZetto Filing
- Vermont Attorney General: TriZetto Filing
- California Attorney General: TriZetto Notification Letter
- HHS OCR Breach Portal
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.