TriZetto and Cares Community Health: California health system sued over 2024 breach on health IT vendor TriZetto

Lawsuit Alleges One Community Health Failed to Protect Patient Data in TriZetto Breach

A patient of One Community Health in Sacramento has filed a class-action lawsuit, accusing the nonprofit health system of failing to safeguard sensitive patient data after a breach at TriZetto, a health IT vendor. The incident, which occurred in November 2024, went undetected until October 2025, when unauthorized access to patient records was publicly disclosed.

TriZetto, a subsidiary of Cognizant, provides claims management and payer billing solutions. One Community Health (legally named Cares Community Health) used TriZetto’s services to handle patient and insurance billing, sharing records that included names, birth dates, Social Security numbers, insurance details, and treatment information. The lawsuit alleges these records were stored offsite by the vendor without adequate encryption or security measures.

Plaintiff Scott Carucci, a One Community Health patient, claims his data was compromised in the breach. His lawsuit, filed on January 15, seeks class-action status, arguing that the health system’s alleged negligence including sharing unencrypted data and failing to vet TriZetto’s security practices enabled the attack. The complaint contends that stronger cybersecurity measures could have prevented the breach.

The case underscores growing legal and regulatory scrutiny over third-party vendor risks in healthcare data security.

Source: https://healthexec.com/topics/health-it/cybersecurity/california-health-system-sued-over-2024-breach-health-it-vendor-trizetto

TriZetto Healthcare cybersecurity rating report: https://www.rankiteo.com/company/trizetto-healthcare

One Community Health Sacramento cybersecurity rating report: https://www.rankiteo.com/company/onecommunityhealthsacramento

"id": "TRIONE1769160575",
"linkid": "trizetto-healthcare, onecommunityhealthsacramento",
"type": "Breach",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Patients of One Community '
                                              'Health',
                        'industry': 'Healthcare',
                        'location': 'Sacramento, California, USA',
                        'name': 'One Community Health (Cares Community Health)',
                        'type': 'Nonprofit Health System'},
                       {'industry': 'Healthcare Technology',
                        'name': 'TriZetto (Cognizant subsidiary)',
                        'type': 'Health IT Vendor'}],
 'attack_vector': 'Third-Party Vendor Compromise',
 'data_breach': {'data_encryption': 'Inadequate or none',
                 'personally_identifiable_information': 'Names, birth dates, '
                                                        'Social Security '
                                                        'numbers',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Patient records, personally '
                                             'identifiable information, '
                                             'insurance details, treatment '
                                             'information'},
 'date_detected': '2025-10',
 'date_publicly_disclosed': '2025-10',
 'description': 'A patient of One Community Health in Sacramento has filed a '
                'class-action lawsuit, accusing the nonprofit health system of '
                'failing to safeguard sensitive patient data after a breach at '
                'TriZetto, a health IT vendor. The incident went undetected '
                'until unauthorized access to patient records was publicly '
                'disclosed. The lawsuit alleges that records including names, '
                'birth dates, Social Security numbers, insurance details, and '
                'treatment information were stored offsite by the vendor '
                'without adequate encryption or security measures.',
 'impact': {'brand_reputation_impact': 'Yes',
            'data_compromised': 'Names, birth dates, Social Security numbers, '
                                'insurance details, treatment information',
            'identity_theft_risk': 'High',
            'legal_liabilities': 'Class-action lawsuit filed',
            'systems_affected': "TriZetto's claims management and payer "
                                'billing systems'},
 'lessons_learned': 'Third-party vendor risks in healthcare data security '
                    'require stronger vetting and encryption standards.',
 'post_incident_analysis': {'root_causes': 'Inadequate vendor security '
                                           'vetting, unencrypted data storage, '
                                           'delayed detection'},
 'recommendations': 'Implement stricter vendor security assessments, enforce '
                    'data encryption for shared records, and enhance '
                    'monitoring of third-party access.',
 'references': [{'source': 'Lawsuit filing'}],
 'regulatory_compliance': {'legal_actions': 'Class-action lawsuit filed',
                           'regulations_violated': 'Potential HIPAA '
                                                   'violations'},
 'title': 'Lawsuit Alleges One Community Health Failed to Protect Patient Data '
          'in TriZetto Breach',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Inadequate encryption, insufficient vendor '
                            'security vetting'}