I literally just wrapped up the Clop hit on Madison Square Garden through their Oracle EBS vendor — a post I ended by saying the healthcare software supply chain is the highest-risk version of this exact problem — and I am not even kidding, the confirmation landed before I’d closed the tab. Cognizant’s TriZetto Provider Solutions division. Three point four million patient records. Healthcare payment administration data. The exact category of breach I told you was coming. If you’re reading this thinking “we don’t use TriZetto so this isn’t our problem,” sit down. Because this is absolutely your problem, and I’ll tell you exactly why.

What Happened

Per SecurityWeek, The Hacker News, and InnovateCybersecurity’s March 9 roundup, Cognizant’s TriZetto Provider Solutions — a healthcare IT subsidiary of one of the world’s largest IT services firms — has disclosed a significant data breach exposing sensitive information for approximately 3.4 million individuals. TriZetto builds and operates healthcare payment administration and eligibility management platforms — the software plumbing that sits between healthcare providers, payers, and patients to handle claims processing, eligibility verification, prior authorizations, and the rest of the financial mechanics that run behind every single medical encounter in the US.

The compromised data includes: full names, dates of birth, Social Security numbers, health insurance member IDs, group numbers, Medicare and Medicaid identifiers in some cases, and claims data — which contains the actual clinical information. What procedures were performed. What conditions were treated. What prescriptions were filled. Not just who you are and what your SSN is. Who you are, what your SSN is, what diseases you have, what medications you take, and what your insurance will and won’t cover. The full picture.

Cognizant’s public statement described the incident as under investigation. At time of writing, attribution and the specific attack vector had not been publicly confirmed, though the pattern — centralized healthcare platform, massive simultaneous exposure, third-party managed system — fits the established playbook of groups like Clop who run exactly this kind of “hit the shared platform, hit every client simultaneously” campaign. Per reporting from SecurityWeek and other outlets tracking the story, the investigation is ongoing and the full scope of which provider and payer organizations’ patient populations are affected is still being determined. Which means 3.4 million is potentially a floor, not a ceiling.

Why This One Hits Different

Let me explain why a healthcare data breach is categorically worse than a financial data breach, because I get tired of people treating them equivalently.

Financial data — credit card numbers, SSNs in isolation, bank account data — is serious. It causes real harm. People spend months untangling identity fraud. But the damage is fundamentally financial and, over time, reversible. You can close accounts. You can put fraud alerts on your credit. You can dispute fraudulent charges. It’s a nightmare, but it has a resolution path.

Health data breaches cause harms that are significantly more personal and in some cases permanent. Employer discrimination based on disclosed health conditions is illegal under the ADA, but it happens, and it’s nearly impossible to prove. Insurance coverage decisions are affected by exposed pre-existing conditions. Sensitive diagnoses — HIV status, mental health conditions, substance abuse treatment, reproductive health — when exposed, affect personal relationships, professional opportunities, and personal safety in ways that a stolen credit card number does not. These records also don’t expire the way financial data does. Your SSN can be changed in some circumstances. Your HIV diagnosis from 2019 cannot be un-disclosed.

The downstream clients of TriZetto are healthcare providers and insurance payers who trusted that TriZetto’s platform was securing their patients’ most sensitive data. Those providers now have a breach notification obligation — to their patients, to the HHS Office for Civil Rights under HIPAA, to state attorneys general under applicable state breach notification laws — even though they didn’t directly control the system that failed. As I documented in my writeup on the Marquis vs. SonicWall vendor risk lawsuit, the breach liability lands on the customer organization even when the root cause is a vendor security failure. In healthcare, that liability is even more acute because HIPAA’s business associate framework creates explicit legal obligations for covered entities whose business associates suffer breaches.

Cognizant is a Business Associate under HIPAA for every covered entity using TriZetto. When a HIPAA Business Associate has a breach, the covered entity has breach notification obligations under the HIPAA Breach Notification Rule. Sixty days from discovery to notify affected individuals. Sixty days. Not seven months like MSG took with their Clop breach. Sixty days or you are in HIPAA violation, and HHS OCR fines for HIPAA violations are not gentle. They range from $100 to $50,000 per violation, per day, with annual caps in the millions for willful neglect.

And this is on top of the Change Healthcare context, which should be front of mind for every single person in healthcare IT. UnitedHealth’s Change Healthcare subsidiary processed claims for roughly 40% of the US healthcare system and was taken down by ALPHV/BlackCat ransomware in February 2024. The disruption cost an estimated $22 billion across the healthcare system. Providers couldn’t get paid. Patients couldn’t fill prescriptions. The TriZetto incident is smaller in scale but identical in category: a centralized healthcare IT platform, operating at the intersection of multiple providers and payers, becomes a single point of failure for an entire ecosystem of patient data.

As I’ve documented in my research on why a Cyber 9/11 remains closer than most people comfortably acknowledge, the highest-consequence cyber incidents are the ones where a single platform failure cascades across an entire dependent ecosystem. TriZetto is precisely that kind of platform.

What Went Wrong — The Structural Failure

Healthcare IT has a specific problem that makes this pattern particularly persistent: the sector runs on old software, managed by third parties, with contractual security requirements that were written in a different threat era.

TriZetto’s platforms, like many healthcare payment administration systems, have deep roots. The underlying platforms in many cases predate modern cloud architecture, modern security engineering, and modern threat actor capabilities. They’ve been patched and extended and integrated over years and decades, which means the attack surface is broad, the technical debt is substantial, and the security tooling layered on top is retrofitted rather than native.

The managed service model compounds this. Healthcare providers outsource platform management to companies like Cognizant’s TriZetto division specifically because running complex healthcare IT in-house is expensive and requires specialized expertise. The tradeoff is: you lose direct visibility into the security posture of the platform managing your patients’ data. You can contractually require security SLAs, audit rights, and breach notification timelines — and many organizations do not negotiate these requirements, because healthcare IT procurement is driven by clinical functionality and interoperability requirements, not security requirements. Security is frequently an afterthought that gets addressed in the vendor questionnaire, not in the contract.

The result: a healthcare provider relies on TriZetto to process their patients’ claims, has no direct visibility into whether TriZetto is patching on schedule or whether their environment has anomalous activity, and finds out about a breach affecting 3.4 million patients from a news alert. Not from TriZetto’s security operations team calling them on an emergency line at 2am. From a news alert.

The Fixer’s Advice — What You Do Right Now

This section has two audiences: healthcare organizations who use TriZetto or similar managed healthcare IT platforms, and security practitioners at any organization running managed platforms for sensitive data operations. Because the lessons here generalize.

For TriZetto clients specifically:

1. Initiate your HIPAA incident response protocol immediately. Don’t wait for Cognizant to tell you how many of your patients are affected. Under HIPAA, you are a covered entity, Cognizant is your Business Associate, and this is a Business Associate breach. You have independent obligations. Contact Cognizant’s dedicated breach response team, request a formal written breach notification under your Business Associate Agreement, and get a clear timeline for when you’ll have a complete list of affected individuals. That list drives your notification timeline to HHS OCR and to patients.

2. Know your HIPAA Breach Notification Rule obligations cold. The clock starts when you have knowledge of the breach, not when you complete your investigation. You have 60 days from the date of discovery to notify affected individuals. If the total number of affected individuals is 500 or more in a single state, you also have to notify prominent media outlets in that state. If 500 or more are affected nationally, you notify HHS in real time (not in the annual summary). Get your legal and compliance team engaged today.

3. Audit your Business Associate Agreements. Every BAA with TriZetto should have breach notification timelines, incident response cooperation obligations, and liability provisions. Pull yours now. Understand what Cognizant is obligated to do, what timelines they agreed to, and whether they’re in compliance. If your BAA doesn’t have specific security requirements — patch timelines, right to audit, minimum security controls — that is a remediation item for your next contract renewal. Get it in writing.

4. Prepare patient notification materials. You don’t need to wait for the final patient list to start drafting notification letters. Draft them now. The HIPAA notification letter requirements are specific: what happened, what information was involved, what affected individuals can do to protect themselves, what you are doing to investigate and prevent future incidents, and contact information. Free credit monitoring is standard. For health data breaches, consider offering identity theft protection services that specifically cover synthetic identity fraud, which is a growing use case for stolen healthcare records.

5. Contact your cyber liability insurer. If you have a cyber liability policy — and you should — notify them of the potential breach immediately. Most policies require prompt notification. Your insurer may have breach response resources including legal counsel, notification vendors, and credit monitoring services at pre-negotiated rates.

For all organizations running managed platforms for sensitive data:

6. Treat your Business Associate Agreements and vendor contracts as security documents, not compliance paperwork. Security requirements belong in contracts with teeth: specific patch application timelines, mandatory breach notification within 24 hours of confirmed or suspected compromise, right to conduct or require third-party security assessments on defined cycles, and financial liability provisions for vendor security failures that result in covered entity breach notification obligations.

7. Get minimum telemetry from every managed platform. You don’t need full SOC visibility into a vendor-managed environment. You need: authentication logs, configuration change logs, and data access logs, flowing into your own SIEM in near-real time. If a vendor won’t provide this, that is a red flag. If they want to charge extra for it, evaluate whether that cost is worth knowing about a breach before you read about it on SecurityWeek.

8. Run tabletop exercises for the “managed vendor breach” scenario specifically. The scenario is: you receive a news alert that your managed platform vendor has disclosed a breach. You have a 60-day HIPAA notification clock, a patient population of unknown scope, a vendor conducting their own parallel investigation, and a board wanting status updates. Who does what, in what order, in the first 24 hours? In the first week? Most healthcare organizations have never walked through this scenario. Walk through it now, while it’s a drill.

My broader research on how dark web extortion economics have evolved covers why healthcare data specifically commands premium pricing on criminal markets — complete clinical records with SSNs enable medical identity theft, synthetic identity fraud, insurance fraud, and highly targeted social engineering, all of which are more durable revenue streams than credit card fraud. Every time a healthcare platform breach lands 3.4 million records on the market, it replenishes the supply of exactly the data type that criminal ecosystem values most.

Three point four million people trusted the healthcare system with their most sensitive information. The healthcare system outsourced managing that information to a vendor. The vendor got breached. The patients pay the price. The machine is broken. Fix it before the next one.