Cognizant faces US class-action lawsuits over TriZetto data breach

According to the petitioners, the breach impacted at least 100 individuals across several US states, who said they lost personal information held by TriZetto. At least one complainant alleged that the Nasdaq-listed company was aware of the breach but still did not inform affected parties, a claim that could raise concerns for investors.

“In or about November 2024, hackers gained access to Defendants’ (Cognizant) computer network and accessed protected Private Information. Defendants claim to have first discovered the unauthorized access of its system on October 2, 2025, nearly a year after hackers had gained access," according to one class action complaint filed by Liam Lytle, Maricruz Jimenez, and Carson Noel on 23 December.

The complainants said the total number of individuals affected by the breach remains unconfirmed and alleged that TriZetto failed to act promptly despite being aware of the incident.

Many of the lawsuits were filed in the last week of December by individuals in states including Arizona and California, who claimed they lost sensitive personal data such as financial account details, social security numbers, and addresses. Mint could not independently ascertain whether Cognizant intends to settle the claims.

The 23 December complaint alleged that Cognizant did not disclose critical details of the cyberattack.

“Defendants (Cognizant) have not disclosed the details of the cyberattack to Plaintiffs (complainants) or Class members, including the root cause of the data breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again. To date, these critical facts have not been explained or clarified to Plaintiffs and Class members, who retain a vested interest in ensuring that their Private Information remains protected," read the class action complaint.

Cognizant also delayed informing their own clients that there had been a data breach with many of the involved entities still allegedly in the dark, it said. “Defendants still have not informed all involved entities that their patients’ Private Information has been compromised."

According to the petitioners, the alleged “unreasonable delay" in disclosure aggravated the financial harm suffered by affected individuals, as it prevented them from taking timely steps to protect themselves from identity theft and related risks. The delay, they said, led to incrementally higher damages than would have occurred with earlier notification.

The complainants raised concerns including the risk of losing healthcare coverage due to identity theft, potential increases in insurance premiums, and difficulties in resolving identity fraud.

Another complainant, Lisa Scorpio, alleged that her personal data may have been sold on illegal websites, raising the possibility of ransomware-linked activity.

“Plaintiff further believes her Private Information, and that of Class Members, was subsequently sold on the dark web following the Data Breach, as that is the modus operandi of cybercriminals that commit cyber-attacks of this type," read the complaint filed by Scorpio in a New Jersey District Court on 29 December.

Mint could not independently assess the financial impact of the alleged breach, though the complainants have claimed damages exceeding $5 million, excluding interest and legal costs. Mint has seen a copy of both the complaints.

The lawsuits allege that Cognizant is liable on at least 18 counts, including claims that it unfairly retained profits while failing to adequately secure patients’ personal data, despite being paid to protect such information as part of healthcare services.

Each of the four petitioners has sought a jury trial, monetary damages for losses and attorney fees, and court orders directing Cognizant to conduct regular third-party audits of its systems. They have also sought orders requiring the company to delete the affected individuals’ data unless it can demonstrate a legitimate need to retain it.

The affected parties are represented by New Jersey-based Seeger Weiss LLP, California-based Cotchet Pitre & McCarthy LLP, and Tennessee-based Milberg PLLC. Cognizant’s legal counsel is not known.

“TPS (TriZetto Provider Solutions) takes the protection of information very seriously and regrets any inconvenience this incident may have caused. Because this matter involves ongoing litigation, we are unable to provide further comment at this time," said a Cognizant spokesperson.

Cognizant acquired TriZetto for $2.7 billion in September 2014 to process and manage healthcare claims, marking one of the largest acquisitions by an Indian IT services firm.

Rising cyber risks

The lawsuits come at a time when healthcare claims processing firms such as TriZetto are increasingly under scrutiny from cybercriminals, given the volume of sensitive patient data they handle. In March 2025, Infosys Ltd paid $17.5 million to settle similar data breach claims linked to its subsidiary Infosys McCamish Systems, which provides software and services for life insurance and retirement policies.

Cyber breaches have affected several Indian IT firms in recent years. Apart from Infosys’ McCamish settlement, Tata Consultancy Services Ltd has faced at least three cyber incidents at marquee clients, including Jaguar Land Rover and retailers Marks & Spencer and Co-op.

The lawsuits against Cognizant come about three years after S Ravi Kumar took over as chief executive of the company.

At least one expert said the litigation is likely to be prolonged.

“This is likely to drag on for a year or more and then be settled. All tech services firms face this risk however, Cognizant has greater exposure to cyber risks as they combine a software offering with outsourcing which increases their exposure relative to other tech services firms which just provide just the managed service. All that said, cyber risks are increasing and expensive to mitigate. It is also impossible to completely protect against," said Peter Bendor-Samuel, founder of Everest Group, a Texas-based IT research firm.

Bendor-Samuel added that the costs of the case are likely to be covered by insurance and could run into tens of millions of dollars.

Cognizant, which is headquartered in Teaneck, New Jersey, has previously faced legal challenges linked to its TriZetto software, including disputes over alleged misappropriation of trade secrets and anti-competitive behaviour related to healthcare software products.

TriZetto’s acquisition helped accelerate growth in Cognizant’s healthcare business. The company, which follows a January-December fiscal year, reported revenue of $19.74 billion in 2024, with health sciences clients accounting for nearly a third of total revenue, making it the company’s largest business segment. In 2013, prior to the TriZetto acquisition, health sciences contributed slightly more than a quarter of Cognizant’s annual revenue.