Third-Party Healthcare and Benefits Service Provider Breaches Expand to Millions of Victims
Health insurance technology provider TriZetto Provider Solutions (a Cognizant subsidiary) updated breach notifications indicating the impact of its November 2024 intrusion has grown to more than 3.4 million affected individuals. Disclosures to state regulators and downstream notifications from county governments and healthcare providers indicate theft of sensitive personal data including addresses, Social Security numbers, and health insurance identifiers, with some jurisdictions reporting hundreds of thousands of impacted residents.
Separately, the Conduent incident has expanded dramatically in public filings, with reported totals rising from roughly 10.5 million to more than 25 million affected individuals across the US, including a major increase in Texas (reported at 15.4 million) while Oregon remains around 10.5 million. Reporting indicates attackers maintained access for roughly three months and exfiltrated about 8 TB of data, underscoring the systemic risk posed by large, behind-the-scenes vendors that support Medicaid/SNAP and other state benefit programs, healthcare-related processing, and major employer services—creating a wide “blast radius” even for individuals unfamiliar with the vendor name.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
TriZetto files updated Oregon disclosure exceeding 3.4 million victims
TriZetto Provider Solutions submitted an updated breach disclosure to Oregon's Justice Department reporting that the 2024 incident affected more than 3.4 million individuals. The filing followed earlier notifications to other U.S. regulators, including disclosures reflected in Texas and South Carolina figures.
Conduent breach total rises above 25 million people
Updated state notifications reportedly expanded the known impact of the Conduent breach from about 10.5 million to more than 25 million people nationwide. Texas' estimated affected population reportedly increased from roughly 4 million to 15.4 million residents.
Conduent breach disclosures put impact at about 10.5 million
Initial state breach notifications for the Conduent incident reportedly indicated that about 10.5 million people were affected. Oregon's reported total was around 10.5 million individuals.
SafePay ransomware gang claims the Conduent attack
The Conduent incident was later claimed by the SafePay ransomware gang. Reportedly exposed data included Social Security numbers, government identifiers, and medical and insurance information.
Conduent attackers maintain access and exfiltrate 8 TB of data
Attackers reportedly remained inside Conduent's environment for about three months and stole approximately 8 TB of data. The compromise affected a vendor that supports state benefit programs, healthcare-related payment and mailroom services, and corporate back-office and HR functions.
TriZetto suffers breach affecting healthcare data
In November 2024, TriZetto Provider Solutions was hacked, leading to the theft of sensitive personal and health insurance data. Oregon county governments later said the incident exposed details including addresses, Social Security numbers, and health insurance numbers for more than 700,000 people.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
TriZetto Provider Solutions Data Exfiltration Affecting Healthcare Client Insurance Data
**TriZetto Provider Solutions** (a Cognizant business unit providing revenue cycle management and claims clearinghouse services) is notifying more than **3.4 million individuals** after investigators determined threat actors accessed and exfiltrated healthcare clients’ **insurance-related data**. The activity reportedly began in **November 2024** but was not detected until **October 2025**, indicating a prolonged period of unauthorized access before discovery. The incident was reported to the U.S. Department of Health and Human Services via the **HIPAA Breach Reporting Tool** as impacting approximately **3.43 million** people, while TriZetto has not publicly specified how many healthcare customers were affected. Multiple healthcare organizations have publicly stated they were impacted and have issued their own patient notifications, underscoring downstream exposure risk for providers relying on TriZetto’s billing and claims processing services.
Mar 21, 2026
Healthcare Sector Data Breach Disclosures Expand Victim Counts Across Multiple Incidents
Multiple healthcare-related breach disclosures expanded significantly, led by *TriZetto Provider Solutions* reporting to regulators that **3,433,965** people were affected after an attacker used a web portal to access historical eligibility reports containing sensitive data (including **SSNs** and insurance information). Separately, *Conduent Business Services* told Wisconsin regulators that its incident now impacts **“25 million-plus”** people nationwide; the Xerox spinoff had previously reported **~15.5 million** affected in Texas, prompting an investigation by Texas AG Ken Paxton, while reporting noted the event is still smaller than the largest U.S. health-data breach on record. Reporting on the *Change Healthcare* ransomware incident reiterated that UnitedHealth estimated roughly **190 million** people were affected, with congressional testimony attributing initial access to a **Citrix remote access portal lacking MFA**, followed by data theft and ransomware deployment; reporting also cited a **$22 million** ransom payment. In the Asia-Pacific region, a separate healthcare privacy incident involving New Zealand’s *ManageMyHealth* patient portal was cited as exposing data from **~120,000** people, and was used to underscore governance, access control, and third-party oversight gaps as recurring drivers of healthcare-sector exposure.
Mar 21, 2026
Large US Healthcare Data Breaches Impacting Millions of Patients
Multiple healthcare-sector data breaches were disclosed with significant exposure of **protected health information (PHI)**. TriZetto Provider Solutions (TPS), an insurance verification provider, reported a compromise that began in **November 2024** and was not detected until nearly a year later; the threat was reportedly eradicated on **Oct. 2, 2025**. Notifications to affected healthcare provider customers across several states continued into late 2025 and early 2026, with one Oregon advisory estimating exposure affecting **more than 700,000 people**; impacted providers stated there was no current evidence of misuse and that **financial details were not stolen**. Separately, Healthcare Interactive (*HCIactive*), an AI-powered insurance enrollment and benefits administration vendor, confirmed that an intrusion and data exfiltration tied to activity in mid-2025 ultimately affected **3,056,950 individuals**, after earlier placeholder reporting while scope was still being determined; reported unauthorized access windows vary from **July 8–12, 2025** to a broader **June 17–July 22, 2025**. Another incident involved AI care-coordination platform *Lena Health*, where a threat actor claimed exposure of patient data (including references to a **Twilio call recording database**) and alleged that **2,134 patients’ PHI** was stored in an unencrypted export in a public-facing **AWS S3 bucket**, with follow-on reporting indicating exploitation after a publicly disclosed vulnerability and an available patch that was not applied in time.
Mar 21, 2026