Skip to main content
← All InsightsCybersecurity

What the TriZetto Breach Teaches East African Businesses About Cybersecurity

Evans Ochieng

Evans Ochieng

March 2026 · 8 min read

In February 2026, TriZetto — a healthcare technology subsidiary of Cognizant — disclosed a breach that exposed 3.4 million patient records. Names, social security numbers, medical histories, insurance details — all compromised. It's one of the largest healthcare data breaches in recent memory, and the ripple effects are still unfolding.

But this isn't just an American problem. For East African businesses — especially those in healthcare, fintech, and any sector handling sensitive data — the TriZetto breach is a masterclass in what goes wrong when cybersecurity is treated as an afterthought.

Here's what happened, why it matters to you, and what to do about it.

What Happened at TriZetto

TriZetto processes healthcare claims and patient data for thousands of medical providers across the United States. The breach exploited vulnerabilities in their data processing infrastructure — attackers gained access to unencrypted patient records stored in systems that lacked adequate access controls and monitoring.

The key failures:

  • Insufficient encryption — Patient data was stored without adequate encryption at rest
  • Weak access controls — The attackers moved laterally through systems with minimal resistance
  • Delayed detection — The breach went undetected for weeks before being identified
  • Poor incident response — Notification to affected patients was slow, compounding regulatory exposure

Cognizant now faces class-action lawsuits, regulatory investigations, and an estimated $200 million+ in direct and indirect costs.

Why East African Businesses Should Pay Attention

"We're not a US healthcare company" is not a defence. Here's why:

1. You're handling sensitive data too. If you process customer financial data (M-Pesa transactions, bank details), employee records, medical information, or government data — you have the same obligations and the same risks. Kenya alone processes over KES 30 trillion in mobile money annually. That's a massive attack surface.

2. Regulation is catching up fast. Kenya's Data Protection Act (2019) imposes obligations nearly identical to GDPR. Uganda's Data Protection and Privacy Act, Rwanda's Law on Protection of Personal Data — the regulatory framework across East Africa is maturing rapidly. Non-compliance penalties are real and increasing.

3. Attackers don't discriminate by geography. The same ransomware groups, phishing kits, and vulnerability exploits used against TriZetto are being deployed against East African targets daily. The 2025 Africa Cyber Threat Assessment found that 89% of businesses in the region experienced at least one cyber incident.

4. Your clients and partners are asking. International NGOs, multinational corporations, and government agencies increasingly require cybersecurity certifications from their vendors. If you can't demonstrate security compliance, you're losing contracts.

7 Critical Actions for Your Business

You don't need a Fortune 500 budget. You need discipline and the right priorities.

1. Encrypt Everything — At Rest and In Transit

If TriZetto had encrypted their patient records at rest, the breach would have been significantly less damaging. Stolen encrypted data is useless without the keys.

Action: Implement AES-256 encryption for all stored sensitive data. Use TLS 1.3 for all data in transit. This isn't optional — it's the minimum.

2. Implement Zero-Trust Access Controls

The days of "trusted internal network" are over. Every access request should be verified, regardless of where it originates.

Action: Deploy multi-factor authentication (MFA) on all systems. Implement role-based access control (RBAC). Use the principle of least privilege — employees should only access what they need for their specific role.

3. Monitor Continuously, Not Periodically

TriZetto's breach went undetected for weeks. In cybersecurity, detection speed is everything. The average cost of a breach drops by 65% when detected within the first 72 hours.

Action: Implement Security Information and Event Management (SIEM) or at minimum, centralised logging with alerting. Monitor for unusual access patterns, data exfiltration attempts, and privilege escalation.

4. Build an Incident Response Plan Before You Need One

Most organisations create their incident response plan *during* an incident. That's like writing a fire evacuation plan while the building is burning.

Action: Document a clear incident response procedure: who to call, how to contain, when to notify regulators (Kenya's DPA requires notification within 72 hours), and how to communicate with affected parties.

5. Conduct Regular Security Assessments

You can't protect what you don't understand. Regular penetration testing and vulnerability assessments reveal weaknesses before attackers find them.

Action: Schedule quarterly vulnerability scans and annual penetration tests. Address critical findings within 48 hours, high-severity within 2 weeks.

6. Train Your People

42% of breaches in East Africa start with phishing or social engineering. Your employees are both your greatest vulnerability and your first line of defence.

Action: Implement monthly security awareness training. Run simulated phishing campaigns. Make security part of your culture, not just an IT checkbox.

7. Pursue ISO 27001 Alignment

ISO 27001 provides the gold standard framework for information security management. You don't have to certify immediately, but aligning your practices with the framework creates a robust security posture.

Action: Start with a gap assessment against ISO 27001 controls. Prioritise the critical controls first — asset management, access control, cryptography, and incident management.

The Compliance Landscape

For East African businesses, here are the key regulatory frameworks to know:

  • Kenya Data Protection Act (2019) — Applies to any organisation processing personal data in Kenya. Requires data protection impact assessments, breach notification within 72 hours, and appointment of a Data Protection Officer for certain organisations.
  • Uganda Data Protection and Privacy Act (2019) — Similar scope with specific provisions for cross-border data transfers.
  • Rwanda Law on Protection of Personal Data (2021) — Establishes the National Cyber Security Authority as the regulatory body.
  • Tanzania Electronic Transactions Act — Covers electronic data security requirements.

Non-compliance isn't theoretical. Kenya's Office of the Data Protection Commissioner has been issuing enforcement notices and penalties since 2022.

The Bottom Line

The TriZetto breach cost Cognizant an estimated $200 million+. For an East African SME, a proportional breach could be existential — not just the direct costs, but the loss of customer trust, regulatory penalties, and competitive damage.

The good news: most breaches are preventable with the right fundamentals. Encryption, access controls, monitoring, training, and incident response planning don't require massive budgets. They require commitment.

Cybersecurity is not an IT problem. It's a business survival problem.

At IntelliByte, we provide comprehensive cybersecurity services tailored to the East African market — from penetration testing and vulnerability assessments to ISO 27001 alignment and security training programmes. We help businesses move from reactive to proactive security postures.

Don't wait for your own TriZetto moment. The time to act is now.

Discuss This Topic With Us →

Chat with us!

Typically replies instantly