Health tech giant TriZetto has confirmed that more than 3.4 million people's personal and health information was stolen in a 2024 cyberattack, which the company failed to detect for almost a year. The scale is sobering.The tech company, owned by multinational conglomerate Cognizant, serves around 200 million people across 875,000 healthcare providers throughout the United States. When a company of this reach fails so spectacularly to monitor its own systems, institutional accountability demands answers.
The forensic investigation determined that an unauthorized third party first started accessing historical eligibility transaction reports within the TriZetto system in November 2024, almost a year before the unauthorized access was detected.The data includes personal information like patients' names, dates of birth, home addresses, and Social Security numbers, as well as information about their healthcare, such as their provider's name, demographic data, and health and insurance details. This is not merely financial data; it is the skeleton key to medical and financial identity.
A hacker used a web portal to access historical eligibility reports stored in TriZetto's system. The attack vector was not exotic. The company's failure was not due to sophisticated zero-day exploits beyond industry knowledge but rather to what appears to be inadequate monitoring of known web portal access. For an organisation trusted with the health records of one-fifth of all Americans, this represents a fundamental breach of duty.TriZetto and co-defendant Cognizant were facing nearly two dozen proposed federal class action lawsuits involving the data breach, with allegations that TriZetto was negligent in failing to protect plaintiff and class members' sensitive personal information from cyber attackers, putting the individuals at risk for identity theft and fraud crimes. The lawsuits seek financial damages as well as injunctive relief requiring TriZetto to improve its data security practices.
There is a legitimate counterargument here that bears stating plainly. Digital healthcare infrastructure in developed economies is vastly complex.The company creates software to manage health insurance claims, enrollment and payments, handling more than four billion transactions annually. Securing systems of this scope, integrating with hundreds of thousands of healthcare providers across multiple states and regulatory frameworks, is genuinely difficult. Breaches happen to organisations that invest heavily in defence; the problem is not always negligence but sometimes the intrinsic vulnerability of modern networked systems. No organisation is perfectly secure, and some defenders of TriZetto's parent Cognizant would rightly note that the company has attempted to remediate, cooperated with authorities, and offered credit monitoring services.
Yet the counterargument collapses under scrutiny. This breach was not subtle. An unauthorised actor maintained access to a core system for eleven months without detection. That is not a sophisticated compromise; that is a failure of basic institutional hygiene.Cognizant was sued last year by industrial manufacturing giant Clorox over accusations its help desk was responsible for a 2023 cyberattack that cost hundreds of millions. This is not an organisation's first misstep. This is a pattern.
For Australian readers, the TriZetto breach carries an important cautionary lesson. Australia's own health sector increasingly relies on third-party vendors for critical infrastructure. As digital health records move to centralised systems and as Australian healthcare providers integrate with global health tech platforms, the question of accountability for vendors becomes unavoidable. When a US-based company handles the eligibility data of millions, the regulatory distance between breach and remedy grows dangerously long. Australia's Department of Health may be watching this case carefully as it considers vendor risk frameworks for domestic healthcare infrastructure.
The pragmatic conclusion is uncomfortable but necessary. Digital healthcare delivers genuine public benefit; the systems are here to stay and should be here to stay. But that benefit creates an obligation. Companies handling millions of health records must be held to standards that make a year of undetected access not merely unlikely but operationally impossible. This requires regulatory clarity on monitoring requirements, mandatory security audits by third parties, and consequences that make complacency prohibitively expensive. TriZetto's year-long detection failure was not technically inevitable. It was a choice made through inadequate institutional commitment to the job entrusted.