Millions of people across the U.S. had sensitive information leaked as a result of a 2024 data breach impacting healthcare technology company TriZetto Provider Solutions.

The company — which creates software to manage health insurance claims, enrollment and payments, handling more than four billion transactions annually — updated the size of the breach this week. 

Last month, several county governments in Oregon warned that thousands of residents were impacted by the breach at TriZetto, which provides insurance-eligibility verification services to public and private healthcare providers in the region. 

County officials said the company discovered the breach in October and found that it started in November 2024. A hacker used a web portal to access historical eligibility reports stored in TriZetto’s system. 

The Oregon counties said more than 700,000 people had sensitive healthcare data leaked, including Social Security numbers, addresses, health insurance numbers and more. TriZetto did not release any public comment about the incident.  

This week, TriZetto updated that figure, reporting to Oregon’s Department of Justice that 3,433,965 people were affected by the breach. 

The company also filed breach notifications in New Hampshire, California, South Carolina, Massachusetts, Vermont and Texas. Of those states, only Texas and South Carolina report the number of victims impacted. Texas said 171,158 people had data leaked and South Carolina said 3,562 were affected. 

Some private medical providers in Oklahoma and other states also confirmed that they were affected by the breach. 

TriZetto did not respond to requests for comment confirming the total number of victims. The company is a subsidiary of IT giant Cognizant, which also did not respond to requests for comment. 

The sample breach notification letters filed in each state are nearly identical and confirm that law enforcement was contacted after the breach was discovered in October. The company hired Google-owned incident response firm Mandiant to conduct an investigation. 

“[TriZetto] determined that, beginning in November 2024, an unauthorized actor began accessing some records related to insurance eligibility verification transactions that healthcare providers process to assess insurance coverage for treatment services they provide to patients,” the letters said..

The company began notifying customers in December. TriZetto noted that for several of its customers, it was asked to file breach notifications on their behalf with the U.S. Department of Health and Human Services’ Office for Civil Rights as well as with state agencies. 

Victims are being given access to credit monitoring services for one year. 

Cognizant was sued last year by industrial manufacturing giant Clorox over accusations its help desk was responsible for a 2023 cyberattack that cost hundreds of millions.