Cognizant Technology Solutions Corp, a major Indian-origin IT services firm, is confronting multiple class-action lawsuits in the United States. The legal actions stem from a cybersecurity incident at its healthcare claims processing subsidiary, TriZetto, where a breach allegedly went undetected or unreported for close to a year.
The Allegations and Legal Complaints
According to the filed petitions, the data breach impacted a minimum of 100 individuals across several US states, including Arizona and California. The complainants allege that sensitive personal information such as Social Security numbers, financial account details, and addresses were compromised.
One class-action complaint, filed on 23 December 2024 by Liam Lytle, Maricruz Jimenez, and Carson Noel, states that hackers gained access to Cognizant's network around November 2024. However, the company reportedly claims to have discovered this unauthorized access only on 2 October 2025—a delay of nearly a year. The lawsuits accuse Cognizant of failing to make timely disclosures to the affected individuals and their associated healthcare entities.
"Defendants have not disclosed the details of the cyberattack to Plaintiffs or Class members, including the root cause of the data breach, the vulnerabilities exploited, and the remedial measures undertaken," reads the complaint from 23 December.
Consequences and Risks for Victims
The plaintiffs argue that this "unreasonable delay" in notification exacerbated the financial harm and risks they faced. By not being informed promptly, individuals were prevented from taking immediate steps to protect themselves from identity theft and fraud. The complaints detail potential consequences including the risk of losing healthcare coverage, increased insurance premiums, and the arduous process of resolving identity fraud.
In a separate complaint filed on 29 December in a New Jersey District Court, plaintiff Lisa Scorpio alleged that her private information may have been sold on the dark web, hinting at possible ransomware-linked activity. The total damages claimed across the lawsuits exceed $5 million, excluding interest and legal costs.
The legal actions hold Cognizant liable on at least 18 counts, including allegations that it unfairly retained profits while failing to adequately secure patient data it was paid to protect. The plaintiffs, represented by law firms including Seeger Weiss LLP and Cotchet Pitre & McCarthy LLP, have sought jury trials, monetary damages, and court orders for regular third-party security audits.
Broader Context for Indian IT and Cognizant
This legal challenge arrives approximately three years after S Ravi Kumar assumed the role of CEO at Cognizant. The company acquired TriZetto for $2.7 billion in September 2014, in one of the largest deals by an Indian IT services firm, significantly boosting its healthcare segment. Health sciences now contribute nearly one-third of Cognizant's annual revenue, which stood at $19.74 billion in 2024.
The lawsuits highlight the escalating cyber risks facing healthcare data processors. Peter Bendor-Samuel, founder of Everest Group, noted that while all tech firms face such threats, Cognizant's combination of software and outsourcing services increases its exposure. He anticipates the litigation could "drag on for a year or more" before a settlement, with costs potentially running into tens of millions of dollars, likely covered by insurance.
This incident is part of a worrying trend for Indian IT. In March 2025, Infosys Ltd paid $17.5 million to settle data breach claims related to its subsidiary Infosys McCamish Systems. Other firms like Tata Consultancy Services have also faced cybersecurity incidents at client sites.
In response to the lawsuits, a Cognizant spokesperson stated, "TPS (TriZetto Provider Solutions) takes the protection of information very seriously and regrets any inconvenience this incident may have caused. Because this matter involves ongoing litigation, we are unable to provide further comment at this time."
