Class action complaints allege failure to protect sensitive patient data, raising fresh concerns over healthcare cybersecurity and third-party risk
Cognizant Technology Solutions, one of the world’s largest IT services providers, is facing mounting legal pressure in the United States following a data breach involving its healthcare subsidiary, TriZetto Provider Solutions (TPS). Multiple class action lawsuits filed in late December accuse the company of failing to adequately protect sensitive patient information, an allegation that could have far-reaching implications for the healthcare and IT services industries globally.
The lawsuits, filed in US district courts in New Jersey and the Eastern District, center on the exposure of protected health information (PHI) and personally identifiable information (PII) belonging to patients whose data was processed through TriZetto’s healthcare claims platforms. While investigations are still ongoing, the legal actions underscore a growing trend: cyber incidents are no longer just technical failures, they are legal, financial, and reputational crises.
What Happened?
According to court filings and reporting by The Economic Times, at least four class action lawsuits were lodged in December against Cognizant Technology Solutions Corp and its subsidiary TriZetto Provider Solutions. The plaintiffs allege that inadequate security controls allowed unauthorized access to sensitive healthcare data.
One complaint states that Cognizant and TriZetto failed to “properly secure and safeguard” patient data, exposing individuals to risks such as identity theft, fraud, and long-term privacy harm. The lawsuits seek damages, remediation costs, and changes to security practices.
While Cognizant has not publicly disclosed full technical details of the breach at the time of writing, the case highlights the high stakes of cybersecurity failures in healthcare, an industry already under relentless attack from cybercriminals.
Why This Breach Matters
Healthcare data is among the most valuable targets for attackers. Unlike passwords, medical records and insurance data cannot simply be reset. When exposed, the consequences for patients can last a lifetime.
For enterprises, especially global IT service providers, the impact goes even further:
- Legal exposure through class action lawsuits
- Regulatory scrutiny under healthcare and data protection laws
- Loss of customer trust and reputational damage
- Increased pressure on third-party risk management
This case also reinforces a hard truth for organizations worldwide: outsourcing IT or healthcare platforms does not outsource accountability.
Industry Impact: A Wake-Up Call for Third-Party Risk
Cognizant’s situation is a stark reminder that supply-chain and third-party cybersecurity risks remain one of the weakest links in enterprise security. Even organizations with mature security programs can be exposed through subsidiaries, vendors, or managed platforms.
Cybersecurity leaders increasingly stress the need for continuous governance, risk, and compliance (GRC) oversight, an area where firms like Saintynet Cybersecurity actively support organizations through risk assessments, compliance programs, and security maturity frameworks.
What About MEA Organizations?
While the lawsuits are US-based, the implications are global. Many healthcare providers, insurers, and governments across the Middle East and Africa (MEA) rely on international technology vendors and cloud-based healthcare platforms.
As data protection regulations tighten across the region—such as PDPLs in the GCC and emerging health data laws in Africa—similar breaches could expose regional organizations to regulatory penalties and litigation. The Cognizant case serves as a cautionary tale for MEA CISOs and compliance leaders to reassess vendor security and data governance.
10 Recommended Actions for Security & Compliance Teams
To reduce the risk of similar incidents, organizations – especially in healthcare and critical services – should consider the following steps:
- Strengthen third-party risk management with continuous vendor assessments.
- Encrypt sensitive data both at rest and in transit across all platforms.
- Implement least-privilege access controls for employees and contractors.
- Conduct regular penetration testing and security audits of healthcare systems.
- Monitor for abnormal access patterns using threat detection and SIEM tools.
- Maintain clear incident response and breach notification plans.
- Align security programs with standards such as ISO 27001 and healthcare regulations.
- Train staff on data protection and cyber hygiene, including phishing awareness.
- Review contractual security obligations with subsidiaries and service providers.
- Invest in cybersecurity awareness and training programs through this platform.
Wider Lessons for the Industry
This breach reinforces an uncomfortable reality: cybersecurity failures are increasingly judged in courtrooms, not just SOCs. Regulators, judges, and customers expect demonstrable due diligence—not just security policies on paper.
For ongoing coverage of healthcare cybersecurity incidents, third-party risk, and data breaches, readers can explore related analysis on Cybercory, including previous reports on healthcare ransomware and supply-chain attacks.
Conclusion
The lawsuits against Cognizant following the TriZetto healthcare data breach mark another chapter in the growing convergence of cybersecurity, regulation, and litigation. As healthcare systems become more digital-and more interconnected-the cost of inadequate security continues to rise.
For organizations worldwide, the message is clear: cybersecurity is no longer optional, and trust is fragile. Protecting patient data is not just a technical responsibility, it is a legal and ethical one.
