TriZetto confirms year-long hack of its network exposed records on 3.4M people
Medical claims and revenue cycle management company TriZetto revealed that a data breach on its network—first discovered in November 2025—impacted over 3.4 million people. Those individuals, most of whom are patients of TriZetto clients, had their data exposed to hackers in a breach that has been ongoing on for roughly a year before it was thwarted.
Until recently, the total number of victims was unknown. However, it was always assumed to be significant, given the extensive length of time hackers were inside the network unseen, slowly accessing sensitive information on patients.
According to a recent filing with the Office of the Maine Attorney General, the breach likely initially occurred on November 19, 2024. In the state alone, the number of people impacted is reported at 1,128.
Notably, TriZetto also quietly submitted the total number of victims to the U.S. Department of Health and Human Services Office for Civil Rights on Feb. 6, as reported on the agency’s data breach tracker.
The company said it first spotted suspicious activity on its network in October 2025, but it wasn’t confirmed to be a full-blown data breach until a month later. At that time, it secured its systems to stop further access.
Stolen data was confirmed to include names, dates of birth, Social Security numbers and demographic information including gender and race. Protected health information was also exposed, including provider names, health insurance details and other details related to patient care encounters that would be pertinent to the filing of medical claims. This could include information on diagnoses and treatments.
TriZetto confirmed that intruders had no access to financial information such as credit card or banking details on individuals. It also said it has not been made aware of any incidents of identity theft or fraud associated with the cyberattack.
To date, no data troves linked to the breach have been discovered on any dark web forums. The criminal or group responsible for the invasion is as yet unknown.
In its report to Maine, TriZetto offered all impacted individuals access to identity theft protection services. It said it began alerting all victims in February, sending them written notices.
Health system in California sued
As reported by HealthExec in January, a patient of One Community Health in Sacramento filed a lawsuit claiming the nonprofit hospital failed to protect sensitive patient data, given that it shared it with TriZetto, one of its vendors.
In the lawsuit, patient Scott Carucci alleged that One Community Health shared medical records with TriZetto as part of its systems integration, including names, birth dates, Social Security numbers, insurance information and treatment details that were stored offsite.
The breach allowed hackers to access patient records, including Carucci’s. His lawyers contend that the organization failed to use adequate cybersecurity and did not ensure TriZetto properly protected patient data.
The complaint asked the court to require stronger security measures and award damages, while Carucci says he has had to closely monitor his finances due to potential identity theft.
The lawsuit is seeking class action status.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.