TriZetto, a major health tech company processing billions of medical claims annually, just admitted something that should terrify every person with health insurance: Hackers stole 3.4 million patient records in 2024. They discovered it in 2025. That's 365 days of invisible theft while the breach quietly drained personal information, Social Security numbers, and medical details. Here is the unacceptable truth after working with dozens of healthcare organizations on HIPAA compliance: They found the breach. They still haven't found the gap that let it happen for a year.
TriZetto provides healthcare payment and claims processing technology. If you've ever filed a health insurance claim, there's a decent chance TriZetto's systems touched it somewhere along the way. They process billions of transactions annually for insurance companies, hospitals, and healthcare providers.
In March 2026, they confirmed what many suspected: Hackers breached their systems in 2024 and stole personal and health information for 3.4 million people. The breach went undetected for almost a full year.
⏳ The Timeline: Hackers got in sometime in 2024. Stole 3.4 million records. Nobody noticed. They had 365 days to do whatever they wanted with that data. TriZetto discovered it in 2025 and is just now, in March 2026, publicly confirming the scope.
Think about that for a second. 365 days.
In one year, those 3.4 million records could have been sold, resold, used in identity theft schemes, combined with other breach data to build comprehensive profiles, and weaponized in targeted phishing attacks. All before anyone even knew to warn the affected people.
The notification letters are going out now. Two years after the theft started. If you got one, the hosers have had your information longer than you've known it was compromised.
After working with dozens of healthcare, financial, and manufacturing companies on regulatory compliance, we see this pattern constantly. Organizations think finding the breach is the finish line.
It's the starting gun.
Finding the breach tells you what got stolen. Finding the gap tells you how it happened and whether it's still happening. TriZetto found the breach. Based on the public information available, we haven't seen any indication they've found the gap.
This is what we tell every healthcare organization we work with: Finding the breach is detective work. Finding the gap is prevention. One tells you what happened. The other tells you what's still happening.
And TriZetto's public statements focus on the breach, not the gap. That's a red flag.
The timing on this TriZetto announcement is brutal. Not for them—for every other healthcare organization.
Right now, this month, the Office for Civil Rights (OCR) is conducting Phase 3 HIPAA compliance audits of 50 covered entities. These aren't friendly check-ins. These are comprehensive audits looking for exactly the kind of gaps that led to TriZetto's 365-day blind spot.
⚖️ What Changed in 2026:
The new 2026 HIPAA Security Rule updates eliminated wiggle room. Encryption is now mandatory. No more "addressable" specifications you could skip if you had a good reason.
All implementation specifications must be followed. Period. And the most common violation OCR is finding in these audits? Missing or outdated risk assessments. Same thing that probably failed at TriZetto.
Here's what TriZetto's breach reveals about HIPAA compliance: They failed the most basic requirement. Continuous monitoring.
Not annual audits. Not quarterly security scans. Not penetration tests every six months. Continuous.
If you're monitoring continuously, you don't have 365-day gaps. You have 365-hour gaps at worst. More likely, you have 365-minute gaps. The breach gets detected fast, contained fast, remediated fast.
TriZetto had a 365-day gap. That tells me their monitoring wasn't continuous. And OCR is specifically auditing for continuous monitoring compliance right now.
Craig have implemented HIPAA compliance for healthcare providers, worked with financial institutions on data protection, and helped manufacturers secure intellectual property. The pattern is always the same.
Organizations think finding the breach is the finish line. It's not. It's the starting gun for the real work: finding every gap that allowed the breach, fixing those gaps, and implementing monitoring that catches the next attempt in minutes instead of months.
TriZetto found the breach. But based on the timeline—365 days undetected—they clearly didn't have continuous monitoring working. And that's the gap.
You might be thinking, "I don't work for TriZetto. Why should I care?"
Because your data is sitting in systems just like theirs.
Your health insurance company uses systems like TriZetto's. Your pharmacy uses them. Your doctor's billing department uses them. Your Medicare Advantage plan uses them. These backend healthcare payment processors touch your personal information constantly—and you have zero visibility into their security.
If these companies take a year to detect a breach, your information is exposed for 365 days before anyone warns you. The damage is done long before you can protect yourself. Criminals have already used your Social Security number to file fraudulent tax returns, your Medicare details to submit fake claims, and your personal information to craft perfect phishing emails targeting your retirement accounts.
By the time you get the breach notification letter, it's too late.
Craig has been doing cybersecurity since 1991. Thirty-five years. FBI InfraGard trainer. Zero successful ransomware attacks on my managed services clients. He knows every trick in the book.
His own father still fell for a phishing email.
Smart guy. Retired professional. Careful with money. But he clicked something he shouldn't have. The hosers got remote access to his computer and started hunting for financial documents. His step-mother saw the cursor moving on its own and called Craig immediately.
Craig connected remotely, kicked the attackers out, locked down his accounts. And caught it just in time—before they found the spreadsheet with all his bank account credentials sitting right there on his desktop.
We were lucky. Stupidly, ridiculously lucky.
That's when ForwardToSafety came to life. Craig asked himself: What would I build if the person I was protecting was my father?
Not enterprise security software. Not compliance dashboards. Something simple: Forward a suspicious email to [email protected]. Get a verdict in 47 seconds. No training. No software. Just forward and know. Because the next time my dad gets a suspicious email, I want him to have a better option than "hope I'm making the right call."
If you're a patient, employee, or business working with healthcare providers, financial institutions, or any company handling sensitive data, ask them directly:
"How long would it take you to detect a data breach?"
If they say "We do annual security assessments" or "We have quarterly penetration tests," that's not an answer. That tells you they're measuring compliance activities, not detection speed.
If they can't answer at all, that's worse. It means they've never measured it. They have no idea if a breach is happening right now.
The correct answer sounds like this: "Our monitoring detects anomalies within minutes. We investigate alerts within an hour. If we confirm a breach, we contain it and notify affected parties within 24 hours per HIPAA requirements."
If they can't give you specifics like that, your data is sitting in a system with TriZetto-sized blind spots.
Here's something most healthcare organizations don't want to admit: Being HIPAA compliant doesn't mean you're secure.
You can check every compliance box, pass every audit, have perfect documentation, and still get breached for 365 days without noticing. Because compliance measures what you've implemented. Security measures whether it's actually working.
TriZetto probably had HIPAA compliance documentation. They probably passed previous audits. They probably had all the required policies and procedures written down somewhere. But their continuous monitoring clearly wasn't working. And that's the gap between compliance theater and actual security.
Next time you visit your doctor, talk to your insurance company, or deal with your pharmacy, ask them: "How long would it take you to detect a data breach?" If they can't give you a specific answer measured in hours or days (not weeks or months), your information is sitting in a system with TriZetto-sized blind spots. Consider whether you want to give them additional sensitive information, or whether you need to move to a provider who takes detection seriously.
Operate under the assumption that systems around you are already compromised. When you get an email about your health insurance, Medicare, or medical billing—even if it looks completely legitimate—verify it through a separate channel before clicking anything. Call the company using a number from your insurance card, not the email. Log in through the official website you bookmarked, not through email links. Takes an extra 2 minutes. Beats spending 6 months recovering from identity theft.
Healthcare-related phishing is exploding because of breaches like TriZetto. The hosers have 3.4 million records to work with. They know your name, date of birth, insurance provider. They'll send perfectly targeted emails claiming to be from your insurance company, Medicare, or healthcare provider. Don't try to figure out if they're real. Forward them to [email protected] and get an expert analysis in seconds. We check authentication headers, sender reputation, link destinations—all the stuff you can't see by looking at the email.
Finding a breach 365 days later means one thing: continuous monitoring failed. Period. No other explanation makes sense. And if continuous monitoring failed at a major health tech company processing billions of claims, what makes you think it's working at your local doctor's office or regional insurance company?
Your healthcare data is only as secure as the weakest monitoring system touching it. And based on TriZetto's timeline, a lot of those systems aren't monitoring at all. They're just hoping nothing bad happens and checking compliance boxes.
Every week, we break down healthcare breaches, HIPAA compliance updates, and the latest attack techniques targeting your retirement savings. Plain English. No jargon. Just what you need to know.
Free weekly emails at CraigPeterson.com
365 days is a long time to wait for bad news, folks.
— Team Craig
Join thousands of security professionals who receive Craig Peterson's Insider Show Notes and cybersecurity updates.
Tagged with:
Join 10,000+ cybersecurity professionals