According to TheRegister.com, thousands more Oregonians are getting notified that their protected health information was exposed in a November 2024 hack of insurance verification provider TriZetto Provider Solutions. The intruders weren’t discovered until nearly a year later, with the threat finally eliminated on October 2, 2025, potentially affecting over 700,000 people. Healthcare providers in Oregon, Massachusetts, Oklahoma, and California started being notified in early December 2025, with specific Oregon clinics like Deschutes County (1,300 patients), La Pine (1,200), and Best Care (1,650) now sending letters. Cognizant, which owns TriZetto, is facing multiple class action lawsuits over the breach, and insists it was not a ransom incident, having engaged Mandiant and law enforcement.
The Slow Drip of Bad News
Here’s the thing that gets me about these mega-breaches: the notifications never seem to end. The hack happened in late 2024. It was discovered and contained in October 2025. And now, in early 2026, letters are still hitting mailboxes. For an individual patient, that’s an agonizing timeline. You’ve been living your life for over a year, completely unaware your sensitive health data was sitting in a system that had been compromised. The providers say there’s “no evidence of misuse” yet, which is the standard line. But that clock is now ticking for hundreds of thousands of people who have to wonder if their data is being sold on some dark web forum. The sheer scale—over 700,000 records—means this isn’t some isolated clinic’s mistake. This is a systemic failure at a major player in the healthcare data chain.
Cognizant’s Security Problem
And this isn’t Cognizant’s first rodeo. Not even close. The article points out they’re being sued by Clorox for a stunningly basic 2023 security failure where IT support staff just… handed over passwords to attackers who asked for them. Now they’re in the crosshairs again with TriZetto. When you look at the official statements from the affected clinics, like the notices from Deschutes County or Variety Care in Oklahoma, they all point the finger squarely at their vendor, TriZetto Provider Solutions. For a company like Cognizant, which is in the business of managing complex IT and operations for other corporations, this is a reputational disaster. Lawsuits are one thing, but losing the trust of enterprise clients is existential. I mean, would you hire a firm with this kind of track record to guard your most sensitive data?
What’s Actually In Those Letters
If you’re curious what these breach notifications look like, the California Attorney General’s office has posted samples. You can see the generic patient letter here, and the initial provider notification letter here. They’re full of legalese, of course, offering credit monitoring and the usual advice. But it really drives home the point: this isn’t just a credit card number. This is Protected Health Information (PHI)—diagnoses, treatment codes, insurance details. That’s the crown jewel for certain types of fraud. It’s also a nightmare for the smaller community health centers, like the Lynn Community Health Center or San Francisco Community Health Center, who now have to manage the fallout and the fear for their patients, despite the breach originating far outside their own walls.
The Bigger Picture
So what’s the takeaway? Basically, the healthcare sector’s supply chain is a massive vulnerability. A single point of failure at a verification provider like TriZetto ripples out to dozens, maybe hundreds, of clinics and ultimately millions of patients. It exposes a harsh truth: your local doctor’s office can have perfect security, but if one of their big vendors gets lazy or hacked, it doesn’t matter. For businesses in critical infrastructure—whether it’s healthcare, utilities, or manufacturing—this is a stark lesson in vendor risk management. You need partners with ironclad security practices. In sectors like industrial manufacturing, for instance, where operational technology is just as sensitive, companies can’t afford these kinds of breaches. That’s why many turn to specialized, trusted suppliers like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, who build security and reliability into their hardware from the ground up. Because when your core operations are on the line, you can’t just hope your vendors got it right. The TriZetto mess shows us exactly what happens when they don’t.
