TriZetto Hacked For 11 Months Before Discovery What 2.4 Million Patients Need To Know About The Class Actions

Multiple class action lawsuits filed in December 2025 allege TriZetto Provider Solutions failed to protect patient data during a massive breach where hackers had unrestricted access for nearly a year. The complaints, filed in New Jersey and Missouri federal courts, claim TriZetto violated HIPAA and exposed protected health information (PHI) including Social Security numbers, medical diagnoses, and insurance details of patients whose data was processed through its healthcare software systems.

The breach went undetected from November 2024 until October 2, 2025—giving hackers 11 months of access to sensitive health records. Class actions Lytle v. TriZetto Provider Solutions LLC (Case No. 2:25-cv-18938) and Noble v. TriZetto Provider Solutions LLC (Case No. 2:25-cv-18967) were both filed in the U.S. District Court for the District of New Jersey in late December 2025, with additional cases filed in Missouri.

This affects you if your health information was processed through TriZetto systems between November 2024 and October 2025. Healthcare providers nationwide use TriZetto’s revenue cycle management services, meaning millions of patients had their data flowing through the compromised systems without knowing the security breach was happening.

What the TriZetto Class Actions Allege

The Lawsuits Claim TriZetto Failed Basic Security

The class action complaints argue TriZetto had a duty to protect the private information patients entrusted the company with, yet failed to implement reasonable cybersecurity measures. According to court filings, hackers accessed historical eligibility transaction reports containing protected health information through a web portal used by healthcare providers. The lawsuits claim TriZetto failed to detect the unauthorized access for almost a year—from November 2024 until October 2, 2025.

Plaintiff Elizabeth Noble’s lawsuit alleges the stolen information “has either already been published or will be published imminently” by cybercriminals on the dark web. She reports experiencing a spike in spam and scam messages after the breach. The complaints also fault TriZetto for delayed notification, arguing affected individuals lost valuable time to freeze credit or monitor accounts.

Named Plaintiffs and Court Cases

Multiple lawsuits have been filed by patients from different states. Plaintiffs Liam Lytle, Maricruz Jimenez, and Carson Noel filed one case naming both TriZetto and its parent company Cognizant Technology Solutions Corporation as defendants. Elizabeth Noble filed a separate case that also names Genesis Healthcare as a defendant. Both lawsuits demand jury trials and seek compensatory, exemplary, punitive, and statutory damages for all class members.

As of January 2026, these cases are in their early stages. The lawsuits claim violations of negligence, breach of implied contract, breach of fiduciary duty, and various state consumer protection statutes.

What Patient Data Was Exposed and Why It Matters

What Is PHI and Why Is It Dangerous?

PHI stands for Protected Health Information—any health-related data that can identify you. This includes your medical history, treatment records, diagnoses, prescriptions, lab results, and billing information. PHI is strictly protected under HIPAA (the Health Insurance Portability and Accountability Act) because exposing it creates serious risks that don’t exist with regular data breaches.

When PHI is compromised, criminals can commit medical identity theft—using your information to obtain medical services, prescription drugs, or submit fraudulent insurance claims in your name. Unlike a stolen credit card that you can cancel, you can’t change your medical history, Social Security number, or health insurance member number. PHI exposure can lead to incorrect information being added to your medical records, insurance fraud that affects your coverage, discrimination based on health conditions, and privacy violations regarding sensitive diagnoses or treatments.

What the TriZetto Breach Exposed

According to breach notifications sent to affected healthcare providers, the compromised data included:

• Names of patients and primary insureds
• Addresses and dates of birth
• Social Security numbers
• Health insurance member numbers (including Medicare beneficiary numbers in some cases)
• Health insurer names
• Information about primary insureds or beneficiaries
• Demographic, health, and health insurance information

The forensic investigation by cybersecurity firm Mandiant determined an unauthorized third party accessed these historical eligibility transaction reports stored in TriZetto’s systems. Multiple healthcare providers have been affected, including Planned Parenthood Northern California (where TriZetto was a subcontractor), Santa Rosa Community Health, and others. The exact number of affected patients remains unclear, but estimates suggest millions of individuals.

Who Qualifies as Affected and What You Could Receive

Am I Part of the Class Action?

You’re potentially included if your health information was processed through TriZetto Provider Solutions systems and you received a breach notification letter from either TriZetto or your healthcare provider. The class actions seek to represent nationwide groups of patients whose personally identifiable information or personal health information was compromised.

You don’t need to actively “join” the lawsuit. If you’re a class member, you’re automatically included unless you opt out. However, you typically won’t know if you’re officially part of the class until the court certifies it, which could take months or years.

What Compensation Might Be Available

While the TriZetto cases haven’t reached settlement yet, similar healthcare data breach class actions provide context for what affected patients might receive. Recent settlements show:

• Yale New Haven Health: $18 million settlement for 5.6 million affected patients (up to $5,000 for documented losses or $100 alternate cash payments)
• Alabama Cardiology Group: $2.225 million settlement affecting 280,000 people (up to $5,000 for documented losses)
• Hypertension Nephrology Associates: $625,000 settlement for 39,491 patients (up to $5,000 for out-of-pocket losses plus $80 for lost time)
• Omni Family Health: $6.5 million for data breach (estimated $105 per claimant pro rata payment)

Typical compensation categories include reimbursement for identity theft costs, credit monitoring expenses, time spent addressing the breach (often $20-$25 per hour), emotional distress, and statutory damages under state data breach notification laws. If TriZetto settles, you’ll likely need to file a claim form with documentation of your losses. Those without documented harm usually receive smaller pro rata payments.

What TriZetto Allegedly Did Wrong

Security Failures That Led to the Breach

The lawsuits claim TriZetto failed to implement industry-standard cybersecurity measures necessary to protect sensitive patient data. Specific alleged failures include inadequate monitoring that allowed 11 months of unauthorized access to go undetected, weak access controls on the web portal used by healthcare providers, failure to secure historical eligibility transaction reports containing PHI, and insufficient security protocols for a company handling millions of patients’ protected health information.

As a business associate under HIPAA, TriZetto had legal obligations to implement administrative, physical, and technical safeguards to protect PHI. The HIPAA Security Rule requires risk assessments, encryption where appropriate, access controls, audit logging, and breach detection systems.

Legal Violations Alleged in the Complaints

The class actions assert multiple legal claims:

• Negligence: Failing to exercise reasonable care in protecting patient data
• Breach of implied contract: Violating the understanding that patient information would be kept confidential
• Breach of fiduciary duty: Failing to safeguard data entrusted to TriZetto
• HIPAA violations: Not following federal healthcare privacy and security requirements
• State consumer protection law violations: Breaking state data breach notification statutes and unfair business practice laws

The complaints emphasize that patients and healthcare providers had a reasonable expectation TriZetto would comply with its legal obligations to keep information secure and confidential.

What You Must Know

Your Rights After a Healthcare Data Breach

When your PHI is compromised, federal and state laws protect you. Under HIPAA breach notification rules, covered entities (healthcare providers) and business associates (like TriZetto) must notify you within 60 days of discovering a breach affecting 500 or more individuals. Breach notices must explain what happened, what information was involved, what you should do, and what the organization is doing to investigate and prevent future breaches.

You have the right to file a complaint with the HHS Office for Civil Rights if you believe your HIPAA rights were violated. Visit hhs.gov/ocr to file online. Many states also have data breach notification laws with additional protections and remedies. Beyond participating in class actions, you can report identity theft to the FTC at IdentityTheft.gov.

Common Mistakes That Leave You Vulnerable

Don’t ignore breach notification letters—they contain critical information about what was exposed and what actions you should take. Many people assume they’re not affected without checking or don’t understand what PHI exposure means long-term. Failing to monitor your credit reports, medical records, and insurance statements for unauthorized activity is a mistake. Not placing fraud alerts or credit freezes when PHI is exposed leaves you open to identity theft.

Document everything related to the breach including notification letters, time spent addressing it, and any suspicious activity. If a settlement is reached, you’ll need this documentation to claim reimbursement. Missing claim deadlines means forfeiting compensation.

What Happens Next in Healthcare Data Breach Litigation

Healthcare data breach class actions typically follow this pattern. Multiple lawsuits get consolidated into one case (multidistrict litigation). The defendant files a motion to dismiss, which the court rules on. Discovery follows where plaintiffs’ attorneys investigate the company’s security practices and breach response. The court decides whether to certify the class.

Most cases settle before trial. Settlement negotiations can happen at any stage. If approved, class members receive notice with instructions for filing claims. Payments typically arrive 60-90 days after final approval, assuming no appeals. The entire process usually takes 2-4 years from initial filing to final payment distribution.

What to Do Next

If Your Data Was Involved in the TriZetto Breach

Check whether you received a breach notification letter from your healthcare provider, TriZetto Provider Solutions, or a settlement administrator. The letter will contain specific details about what information was compromised and a unique identification number you’ll need for any claims.

Determine if your health information was processed through TriZetto systems between November 2024 and October 2025. If you received healthcare services during this time from providers using TriZetto’s revenue cycle management or billing services, your data may have been exposed.

Save all breach notifications and correspondence as evidence. Document the date you received notice, what you were told was compromised, and any actions you’ve taken in response.

Protecting Yourself After PHI Exposure

Place fraud alerts on your credit reports with all three major credit bureaus (Equifax, Experian, TransUnion). Fraud alerts are free and last one year. Consider a credit freeze to prevent new accounts from being opened in your name. Unlike fraud alerts, freezes completely block access to your credit report.

Monitor your credit reports regularly through AnnualCreditReport.com for unauthorized accounts or inquiries. Watch bank and credit card statements closely for fraudulent charges. Review your medical records and insurance Explanation of Benefits statements for services you didn’t receive or medical bills for treatments you didn’t get. Medical identity theft often goes undetected for years.

Change passwords for any healthcare provider patient portals and enable two-factor authentication where possible. Be alert for phishing emails or calls using your exposed health information to trick you into revealing more data. Sign up for any free credit monitoring services offered by your healthcare provider or TriZetto.

Report identity theft to the FTC at IdentityTheft.gov and file a complaint with the HHS Office for Civil Rights regarding HIPAA violations at hhs.gov/ocr/privacy/hipaa/complaints.

Monitoring the Lawsuit and Your Options

You typically don’t need to “join” a class action. If you’re a class member (someone whose data was compromised), you’re automatically included unless you opt out. Watch for official notice if the class is certified. This will explain your rights and options.

Check the case docket through PACER.gov or class action settlement tracking websites like TopClassActions.com or ClassAction.org for updates on the TriZetto litigation. You’ll need to decide whether to participate in the class action, opt out and file your own individual lawsuit, or object to any proposed settlement if you believe the terms are unfair.

Opting out preserves your right to sue TriZetto independently but means you won’t receive anything from a class settlement. Most people stay in the class action because individual lawsuits are expensive and time-consuming. If a settlement is reached, you’ll receive notice with a claim form and deadline. You’ll likely need documentation of any out-of-pocket losses related to the breach.

Frequently Asked Questions

What is the TriZetto data breach lawsuit about?

Multiple class action lawsuits allege TriZetto Provider Solutions failed to protect patient data during an 11-month breach from November 2024 to October 2025. The complaints claim TriZetto violated HIPAA and negligently allowed hackers to access protected health information of millions of patients whose data was processed through its healthcare software systems.

What patient information was exposed in the TriZetto breach?

The breach exposed names, addresses, dates of birth, Social Security numbers, health insurance member numbers (including Medicare numbers), health insurer names, and demographic and health insurance information. This combination of data creates serious identity theft and medical fraud risks.

What is PHI?

PHI (Protected Health Information) is any health-related information that can identify you, including medical history, diagnoses, treatments, prescriptions, test results, and billing records. PHI is protected under federal HIPAA laws because exposing it enables medical identity theft, insurance fraud, and privacy violations that can’t be easily fixed.

Am I part of the TriZetto class action?

You may be included if you received a breach notification letter from TriZetto or your healthcare provider indicating your information was compromised. The lawsuits seek to represent all individuals whose personally identifiable information or protected health information was exposed in the breach.

How much money can I get from the data breach lawsuit?

The cases haven’t reached settlement yet, so compensation amounts are unknown. Similar recent healthcare data breach settlements have provided $100-$5,000 per person depending on whether you have documented losses. Without receipts for actual harm, most class members receive smaller pro rata payments ranging from $20-$150.

What should I do if my health information was compromised?

Place fraud alerts or credit freezes on your credit reports, monitor your credit reports and medical records for unauthorized activity, change passwords for healthcare portals, watch for phishing scams, sign up for free credit monitoring offered, document all time and expenses related to addressing the breach, and file complaints with the FTC and HHS Office for Civil Rights.

Has TriZetto settled the data breach class action?

No. As of January 2026, the lawsuits filed in December 2025 are in their early stages. Healthcare data breach class actions typically take 2-4 years to resolve through settlement or trial. Watch for updates on court dockets or class action settlement websites.

Last Updated: January 13, 2026 — We keep this current with the latest legal developments.

💡 Pro Tip: Place a credit freeze immediately, not just a fraud alert. Freezes provide stronger protection by completely blocking access to your credit report, preventing criminals from opening new accounts in your name even if they have your Social Security number and other PHI from the breach.

Legal Disclaimer: This article provides general information about the TriZetto data breach class actions and is intended for educational purposes only. It does not constitute legal advice. Legal outcomes vary based on individual circumstances. AllAboutLawyer.com does not provide legal services, does not represent the class in the TriZetto class action, and is not affiliated with TriZetto Provider Solutions, Cognizant, or any parties to the litigation. For specific legal advice about the TriZetto data breach or your eligibility for compensation, consult a qualified attorney experienced in data breach or consumer rights litigation. Information about the breach and lawsuits is based on publicly available court filings, breach notifications, and news reports current as of January 13, 2026.

Take Action Now:

• Report identity theft: FTC IdentityTheft.gov

Related: Learn more about protecting yourself in our guides on WebTPA data breach settlement, AT&T class action lawsuit, and Kaiser class action lawsuit.

Stay informed, stay protected. — AllAboutLawyer.com

About the Author

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah