California health system sued over 2024 breach on health IT vendor TriZetto
A patient of One Community Health in Sacramento has filed a lawsuit claiming the nonprofit health system failed to keep sensitive patient data safe. Personal health information was taken when hackers breached TriZetto, a health IT vendor that helps insurers manage claims and develop plans.
The company a subsidiary of Cognizant, was hacked in November 2024—however, the unauthorized access was not noticed and made public until October 2025. Data from One Community Health was accessed during that incident, as it used the provider solutions unit of TriZetto to manage patient and payer billing.
According to court documents, Scott Carucci, a patient at One Community Health, alleges that the organization shared medical records with TriZetto as part of the integration. Those records—which contained patient names, birth dates, Social Security numbers, insurance information, details on treatments and more—was allegedly sent and stored offsite when shared with the vendor.
The breach then allowed malicious actors to take patient records from One Community Health, including those of Carucci. He is seeking class action status for his complaint, which was filed on Jan. 15.
It’s argued that One Community Health, officially named as defendant Cares Community Health, failed to deploy adequate cybersecurity. The alleged act of negligence, the lawsuit argues, could have prevented the cyberattack from being a success.
For the purposes of this case, that means that the health system shared data that was unencrypted, and that it failed to ensure TriZetto could adequately protect personal information on patients. One Community Health, by proxy, is liable, Carucci and his lawyers argue.
Calling all victims
All individuals who had their health data accessed during this data breach are potentially eligible to sign on as co-plaintiffs. The lawsuit aims to have a court compel One Community Health to improve its security policies, while delivering a judgment for damages.
Carucci said he was forced to spend more time monitoring his credit reports and bank accounts after the breach, as he received spam calls from scammers. With Social Security numbers potentially leaked onto the dark web, anyone can be a victim of identity theft even years after a breach occurs, the lawsuit contends.
One Community Health has yet to file a formal response to the complaint.
TriZetto is facing its own class action lawsuit related to the 2024 data breach. While the company has begun notifying victims, it has not reported an official count of how many there are to U.S. Department of Health and Human Services Office for Civil Rights, as required by law. An investigation into the scope of the incident is still ongoing.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.