// breach analysis
Breach Analysis

The Conduent breach: 25 million Americans exposed and most never heard of this company

Hackers spent 83 days inside a government contractor most people have never heard of and walked out with Social Security numbers, medical records, and Medicaid data. Here is everything you need to know and what to do right now.

April 2, 20269 min readBy Baris Ayarkan
X / Twitter LinkedIn Facebook

If you have never heard of Conduent, you are not alone. That is exactly how the company operates. As a back-office technology contractor, Conduent processes Medicaid claims, SNAP payments, child support disbursements, and corporate benefits programs on behalf of government agencies and large employers across the United States. You interact with its systems constantly without ever knowing the company exists. And now, because of a ransomware attack that went undetected for nearly three months, your most sensitive personal data may already be in criminal hands.

⚠️
Still being notified

Conduent expects to finish mailing breach notification letters to all affected individuals by mid-April 2026. If you receive one, do not throw it away. It is legitimate and contains enrollment details for free identity protection services. The deadline to enroll is April 30, 2026.

25M+
Americans affected
83
Days undetected
8.5 TB
Data stolen
9 mo
Delay to notify victims

What happened and when

The SafePay ransomware group gained access to Conduent's network on October 21, 2024 using compromised credentials. They remained inside undetected until January 13, 2025, a span of 83 days, quietly copying files the entire time. When Conduent discovered the intrusion it locked down its systems, which caused payment and service outages across multiple states including Wisconsin and Oklahoma. People receiving state benefits suddenly could not access funds and agencies could not process claims.

Conduent filed an SEC disclosure in April 2025 acknowledging the incident but described it as affecting a limited number of clients. Notification letters did not begin reaching victims until October 2025, nine months after discovery. Under HIPAA, covered entities are required to notify affected individuals within 60 days of discovery. Conduent took more than four times that long.

📈
Why the number kept growing

Conduent initially told Oregon roughly 10,500 residents were affected. After further review that became 10.5 million. Texas went from 4 million to 15.4 million. New Hampshire jumped from 11,000 to over 181,000. The company was still discovering the full scope months after the attack ended.

What data was stolen

Because Conduent processes healthcare and government benefit data, the stolen records fall into the most sensitive categories of personal information that exist. Notification letters and regulatory filings confirm the exposed data includes full legal names, postal addresses and dates of birth, Social Security numbers, medical information including treatment and diagnosis codes, provider names and dates of service, health insurance details including plan names and policy numbers, Medicaid claims data, and in some cases employment records from corporate clients.

The affected organisations include Blue Cross Blue Shield of Texas, Blue Cross Blue Shield of Montana, Premera Blue Cross, Humana, and Volvo Group North America where nearly 17,000 employees were confirmed affected.

Check if your email was in this or other breaches

Free, instant, no account required. See your full breach history in seconds.

Run a free scan →

Why this breach is worse than most

When a retailer gets breached and your email and payment card are exposed, you cancel the card and move on. The Conduent breach is a different category of problem entirely. Social Security numbers combined with medical records, insurance details, and address history create what fraud researchers call a full profile — everything a criminal needs to open new lines of credit in your name, file fraudulent tax returns, commit medical insurance fraud, or run highly targeted phishing attacks that reference your real treatment history to appear convincing.

Unlike a password, you cannot rotate a Social Security number. The risk from this kind of data exposure is measured in years, not weeks.

🔗
The third-party problem

You signed up for Medicaid through your state. The state contracted with Conduent to process your claims. Conduent stored your SSN and medical records. Hackers stole them. You never had any direct relationship with Conduent and had no way to know your data was there.

What you should do right now

Work through this list in order. The steps at the top have the highest immediate impact.

  1. Freeze your credit at all three bureaus. Equifax, Experian, and TransUnion all allow free credit freezes online. A freeze prevents new accounts from being opened in your name even if someone has your SSN.
  2. Enrol in the free identity protection Conduent is offering. Follow the instructions in your notification letter before April 30, 2026. Helpline: 877-332-1658, Mon–Fri 9am–9pm Eastern.
  3. Place a fraud alert. You only need to file with one bureau — they notify the others automatically.
  4. Watch for medical fraud. Check your Explanation of Benefits for treatments you did not receive.
  5. Be alert to targeted phishing. Attackers may reference your real medical details to appear convincing.
  6. File your taxes early. Prevent fraudulent returns filed in your name.
  7. Monitor your credit reports. AnnualCreditReport.com — check all three bureaus for accounts you do not recognise.
📅
Set a reminder for six months from now

Medical identity theft and SSN fraud often surface months after the initial breach. Put a calendar reminder to re-check your credit report and insurance statements in October 2026.

At least ten federal class action lawsuits have been consolidated into a single case in the US District Court for the District of New Jersey. Plaintiffs allege Conduent stored sensitive information in unencrypted internet-accessible environments and failed to implement basic security measures. Texas Attorney General Ken Paxton launched a formal investigation in February 2026, calling it "likely the largest healthcare data breach in US history." Conduent has spent approximately $25 million on breach response and notifications so far.

The Conduent breach is the most visible example yet of a systemic problem. Critical personal data is routinely handled by layers of contractors operating behind the scenes. When those third parties are breached, the impact cascades across every organisation that trusted them with your data.

Sources

  1. Malwarebytes: The Conduent breach, from 10 million to 25 million and counting
  2. TechCrunch: Data breach at govtech giant Conduent balloons, affecting millions more Americans
  3. HIPAA Journal: Texas Attorney General investigates 25M Conduent Business Services data breach
  4. Cybersecurity News: Conduent data breach, ransomware group stolen 8 TB of data
  5. State of Surveillance: Conduent breach exposes 25 million Americans
  6. WRDW: Conduent data breach could be largest in US history
// related articles
Breach Analysis What the National Public Data breach means for you Apr 1, 2026 · 8 min read Guide The first 24 hours after a breach: a step by step recovery plan Apr 4, 2026 · 7 min read Guide The 10 minute security audit every person should do Apr 9, 2026 · 6 min read