TL;DR
- Cognizant's TriZetto subsidiary was breached in November 2024 — and attackers remained undetected for nearly 10 months [1]
- 3.4 million people's Social Security numbers, Medicare IDs, and health insurance data were exposed through an insurance eligibility verification portal [2]
- The breach happened at a software vendor — not the hospitals or clinics that trusted it with patient data
- 15% of all confirmed data breaches now involve a third-party vendor [3], yet most SMBs have no visibility into their vendors' security posture
- Five questions every business owner should ask their vendors before the problem finds you
What Actually Happened to TriZetto
TriZetto Provider Solutions is a healthcare IT company operating under Cognizant's umbrella — a global IT services firm with annual revenues exceeding $19 billion. TriZetto builds software that healthcare providers and insurers use to verify patient insurance eligibility before treatment. In practical terms: it's the system that tells a doctor's office "yes, this patient is covered" before a procedure begins.
Free Resource
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Weekly Threat Briefing — Free
Curated threat intelligence for Australian SMBs. Active campaigns, new CVEs, and practical mitigations — every week, straight to your inbox.
Subscribe Free →On 19 November 2024, an unauthorised party gained access to TriZetto's external-facing web portal [1]. What followed is the part that should concern every business owner regardless of industry.
The breach was not discovered until 2 October 2025 — nearly 10 months after it began [2]. By the time TriZetto's security team noticed anything unusual, attackers had had continuous, uninterrupted access to a database containing 3,433,965 individuals' records. The exposed data included full names, physical addresses, dates of birth, Social Security numbers, health insurance member numbers, Medicare beneficiary identifiers, provider names, and health insurer names [1].
Healthcare providers using the platform were notified on 9 December 2025. Consumer notifications began in early February 2026 — more than 14 months after the initial intrusion [1]. A filing submitted to Maine's Attorney General confirmed the final exposure count [2].
Why 10 Months of Silence Is the Real Story
The breach itself is serious. The 10-month detection gap is what transforms it from an incident into a case study.
According to IBM's 2024 Cost of a Data Breach Report, the average time to identify and contain a data breach globally is 258 days [4]. Healthcare consistently tops that average — the sector has held the record for the most expensive breaches for 14 consecutive years, with an average breach cost of $9.77 million [4]. The TriZetto dwell time sits at the far end of this already grim distribution.
Every day an attacker remains inside a system undetected adds risk. Mandiant's 2025 M-Trends Report found that the global median attacker dwell time for internally detected breaches was 56 days [5]. TriZetto's 10-month window is more than five times that figure, indicating systemic gaps in network monitoring, threat detection, and anomaly alerting on external-facing infrastructure.
For businesses using TriZetto's platform, none of this was visible. They had no dashboard, no alert, and no way to know that the vendor managing their patients' data had a silent intruder.
Related: 1 in 4 Data Breaches Now Come Through Your Vendors: What SMBs Must Do Today
The Vendor Problem: You Can't Outsource Accountability
Here is the part that applies directly to your business, even if you operate nowhere near the healthcare sector: your vendors process your data, and you remain responsible for what happens to it.
The Australian Privacy Act (APP 11), GDPR, HIPAA, and most modern privacy frameworks share a common principle — data controllers bear responsibility for how data processors handle personal information [6][7]. A breach at your payroll provider, your CRM platform, or your cloud file storage service is, legally and reputationally, a breach involving your business.
According to Verizon's 2025 Data Breach Investigations Report, 15% of all confirmed breaches involve a third party, and that figure has increased for three consecutive years [3]. The attack surface hasn't expanded because businesses are getting sloppier — it has grown because modern businesses use more vendors than ever, and most vendor contracts are written to protect the vendor, not the customer.
The TriZetto incident highlights three specific failure patterns that recur in third-party breaches [8]:
- Long detection windows — insufficient logging and anomaly detection on external-facing systems
- No vendor monitoring — customers had zero visibility into the security posture of a platform processing their data
- Delayed notification — 14 months from intrusion to consumer notification violates the spirit of breach notification obligations and, in some jurisdictions, the letter of the law
ISO 27001 SMB Starter Pack — $97
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →The 5-Question Vendor Security Checklist
You do not need a dedicated security team to do basic vendor due diligence. These five questions surface the most common gaps before they become your problem.
1. Do you have an independent SOC 2 Type II or ISO 27001 certification?
SOC 2 Type II means an independent auditor has verified that the vendor's security controls actually operate over time — not just that policies exist on paper. ISO 27001 is the international information security management standard. If a vendor handling your sensitive data can provide neither, their security posture is unverified [9].
2. What is your mean time to detect (MTTD) for security incidents?
This is a core metric for security operations teams. A vendor that cannot answer this question does not measure it — which means they do not actively manage it. TriZetto's 10-month detection gap is what MTTD failure looks like at scale.
3. How do you notify customers in the event of a breach, and within what timeframe?
Many jurisdictions require notification to regulators within 72 hours. Customers often wait months. Get the commitment in writing before you sign. Ensure your contract specifies notification timelines that meet your regulatory obligations.
4. Can you provide a summary of your last penetration test results?
You do not need the raw technical report. A high-level summary — date conducted, critical findings, remediation status — tells you whether the vendor is being actively tested and whether identified issues are being resolved.
5. Do you have cyber insurance covering third-party liability?
If a breach at your vendor causes harm to your customers, understand whether the vendor's policy covers downstream impact, and whether your own policy provides coverage for vendor-originated incidents.
What to Do This Week
Vendor security problems are solved systematically, not reactively. Start with these four steps:
Map your vendor footprint. List every vendor that processes, stores, or transmits personal data about your customers, employees, or business. Count carefully — most SMBs discover 20 to 50 such vendors once they include cloud storage, payroll, CRM, email marketing, accounting software, and support tools.
Send a due diligence questionnaire. The five questions above are your starting point. Document the responses. If a vendor cannot or will not answer, escalate to their account management team. Continued non-engagement is a risk signal that warrants a risk decision.
Audit your breach notification clauses. Most SaaS agreements bury notification obligations in legalese that favours the vendor's timeline. Know what you signed, and negotiate for tighter notification windows on your next renewal.
Verify your cyber insurance covers vendor breaches. Many policies contain specific exclusions for third-party-originated incidents. Review before you need to claim.
Related: Patch Smarter, Not Harder: The 1% Rule That Keeps SMBs Secure Without Burning Out
FAQ
The breach exposed records associated with insurance eligibility verification transactions. Affected individuals may have had the following data compromised: full names, physical addresses, dates of birth, Social Security numbers, health insurance member numbers, Medicare beneficiary identifiers, provider names, and health insurer names. Payment card and bank account data were not involved. TriZetto reports no confirmed cases of misuse at the time of notification [1][2].
Unauthorised access began on 19 November 2024. Suspicious activity was discovered on 2 October 2025 — approximately 10 months later. Consumer notifications began in early February 2026, meaning there was more than a 14-month gap between initial intrusion and customer notification [1].
Not directly from this incident. However, if you received medical treatment in the United States and your provider used TriZetto's insurance verification platform, your records may have been included in the exposed data. If you receive a notification letter, accept the credit monitoring offer [2].
Because the same risk exists with your own vendors. Your payroll software, CRM, cloud storage, and accounting tools all hold sensitive data about your customers and employees. Under the Australian Privacy Act and equivalent laws globally, a breach at any vendor processing data on your behalf creates legal obligations and reputational exposure for your business [6][7].
Start with a contract audit and a questionnaire. Before onboarding any new vendor that handles personal data, send a written security questionnaire. For existing vendors, add a breach notification clause to your next renewal requiring notification within 72 hours. Free questionnaire templates are available from CISA and NIST [9][10]. This costs nothing and significantly raises your baseline protection.
References
[1] B. Toulas, "Cognizant TriZetto breach exposes health data of 3.4 million patients," BleepingComputer, Mar. 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/
[2] Maine Attorney General, "TriZetto Provider Solutions Data Breach Notification Filing," Maine AG Office, Feb. 2026. [Online]. Available: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e2c4cc45-dc81-498d-89f0-28c887808b41.html
[3] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[4] IBM Security, "Cost of a Data Breach Report 2024," IBM, 2024. [Online]. Available: https://www.ibm.com/reports/[data-breach](https://lil.business/blog/conduent-vendor-dwell-time-smb-security-checklist-2026/)
[5] Mandiant, "M-Trends 2025 Special Report," Mandiant / Google Cloud, 2025. [Online]. Available: https://www.mandiant.com/resources/m-trends
[6] Office of the Australian Information Commissioner, "Australian Privacy Principle 11 — Security of Personal Information," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information
[7] U.S. Department of Health and Human Services, "HIPAA Security Rule: Business Associate Arrangements," HHS, 2024. [Online]. Available: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
[8] COE Security, "Healthcare Supply Chain Under Cyber Siege," COE Security, Mar. 2026. [Online]. Available: https://coesecurity.com/healthcare-[supply-chain](https://lil.business/blog/akzonobel-anubis-ransomware-manufacturing-smb-2026/)-under-cyber-siege/
[9] CISA, "Guidance for Addressing Cybersecurity Risk in Third-Party Relationships," CISA, Nov. 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/guidance-addressing-cybersecurity-ri[API-KEY-REDACTED]
[10] NIST, "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161r1)," NIST, May 2022. [Online]. Available: https://doi.org/10.6028/NIST.SP.800-161r1
Is your business confident about the security posture of every vendor handling your customer data? Most SMBs aren't — and most find out the hard way. lil.business helps small and medium businesses build practical vendor security programs that do not require a dedicated security team. Book a free consultation to find out where your vendor risk actually stands.
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- A software company called TriZetto was hacked — and the hackers stayed hidden inside their systems for 10 months [1]
- 3.4 million people's Social Security numbers and health insurance records were stolen without anyone knowing [2]
- Your business uses vendors that hold your customers' data too — and when those vendors get hacked, it becomes your problem
- Three things you can check this week to know whether your vendors are protecting the data you've trusted them with
Imagine Someone Copying Your Spare Key
You gave a spare key to a software contractor years ago. They help run your systems, they do a good job, and you never really think about them.
Then one day you find out: someone broke into the contractor's office, found your spare key, and has been quietly letting themselves into your business every night for 10 months. They weren't stealing cash — they were photographing files. Customer records. Employee details. Insurance information.
You had no idea. The contractor had no idea. And every night, a little more of your data walked out the door.
That is essentially what happened to TriZetto Provider Solutions — a company that processes health insurance paperwork for thousands of doctors and clinics across the United States. Hackers broke in during November 2024. Nobody noticed until October 2025. By then, 3.4 million people's records had been exposed [1].
What Makes This Different From a Typical Hack?
Most people picture a cyberattack like a smash-and-grab robbery. Someone breaks in, grabs what they can, and runs before the alarm sounds.
This was more like a quiet, long-term spy operation. The hackers found a side door, made absolutely sure nobody could see them, and spent almost a year reading everything they could access.
The stolen information included names, home addresses, Social Security numbers, Medicare ID numbers, and health insurance details [2]. This is not the kind of data you can just replace, like cancelling a credit card. Social Security numbers, health records, and Medicare IDs can be used for identity theft for years — sometimes decades — after they are stolen.
The Part That Directly Affects Your Business
TriZetto is not a small startup. It is owned by Cognizant, one of the largest IT companies in the world [1]. And even they took 10 months to notice someone was inside their systems. According to IBM's 2024 Cost of a Data Breach Report, the average time to detect a breach in the healthcare sector is even longer than the global average — and the average healthcare breach costs $9.77 million [5].
Here is what this means for your business: you almost certainly have vendors who hold your customers' data too.
Think about your payroll software. Your customer database. Your email marketing tool. Your cloud file storage. Your accounting platform. Every single one of these holds personal information about real people — your customers, your employees, your business partners. According to Verizon's 2025 Data Breach Investigations Report, 15% of all confirmed data breaches now involve a third-party vendor [6].
If any of those vendors get hacked, your customers' information is at risk. And under Australian privacy law, you have legal responsibilities even when the breach happens at a vendor's end, not your own [3].
Three Things You Can Check This Week
You do not need to become a cybersecurity expert to protect your business here. These three checks are practical, free, and take less than an afternoon.
1. List every vendor that holds your data. Start with payroll, customer databases, accounting software, and email tools. Write them down. Most business owners are surprised — once you count carefully, the average is 20 to 50 vendors.
2. Ask each vendor: "Do you have a SOC 2 or ISO 27001 certification?" These are independent security audits conducted by external experts. A vendor with this certification has had their security independently verified. A vendor without it has not. If they handle sensitive data for your business, the answer to this question matters [4].
3. Check your contracts for breach notification clauses. How quickly does your vendor have to tell you if they get hacked? TriZetto waited 14 months to notify some customers [1]. Make sure your contracts do not allow that kind of delay.
FAQ
TriZetto is a US healthcare IT company that processes insurance eligibility data for doctors and clinics. The reason it matters is the pattern it represents: a software vendor was trusted with millions of sensitive records, failed to detect a breach for nearly a year, and notified affected parties more than 14 months after the intrusion began. The same risk exists with any vendor that processes data for your business [1].
If your data was affected, TriZetto and their notification partner Kroll will send a physical letter explaining what happened and offering 12 months of free credit monitoring and identity protection services. Accept the offer — it is genuinely useful [2].
Yes. Under Australian Privacy Principle 11 and equivalent laws in the UK, EU, and US, you are responsible for taking reasonable steps to protect the personal information you hold — including data that is stored or processed by third-party vendors on your behalf [3]. "My vendor got hacked" is not a complete defence.
SOC 2 stands for System and Organisation Controls 2. It is an independent audit that verifies a company's security actually works in practice — not just on paper. A SOC 2 Type II certification means the audit covered a full year of real operations, not a one-day snapshot. When a vendor tells you they are SOC 2 Type II certified, it means a qualified external auditor has confirmed their security controls operate consistently [4].
References
[1] B. Toulas, "Cognizant TriZetto breach exposes health data of 3.4 million patients," BleepingComputer, Mar. 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/
[2] Maine Attorney General, "TriZetto Provider Solutions Data Breach Notification Filing," Maine AG Office, Feb. 2026. [Online]. Available: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e2c4cc45-dc81-498d-89f0-28c887808b41.html
[3] Office of the Australian Information Commissioner, "Australian Privacy Principle 11 — Security of Personal Information," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information
[4] AICPA, "SOC 2 — SOC for Service Organizations: Trust Services Criteria," AICPA, 2024. [Online]. Available: https://www.aicpa-cima.com/resources/download/soc-2-trust-services-criteria-including-the-2022-points-of-focus
[5] IBM Security, "Cost of a Data Breach Report 2024," IBM, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach
[6] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[7] COE Security, "Healthcare Supply Chain Under Cyber Siege," COE Security, Mar. 2026. [Online]. Available: https://coesecurity.com/healthcare-supply-chain-under-cyber-siege/
[8] CISA, "Guidance for Addressing Cybersecurity Risk in Third-Party Relationships," CISA, Nov. 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/guidance-addressing-cybersecurity-ri[API-KEY-REDACTED]
Not sure which of your vendors are handling your data responsibly? Most SMBs have 3 to 5 high-risk vendors they have never audited. lil.business can help you identify them and fix the gaps — without needing a full-time security team. Book a free call to find out what your vendor risk actually looks like.
