Conduent Breach Swells to 25 Million — SSNs, Medical Records, and Medicaid Data Stolen Across 30+ States

The Conduent data breach now affects at least 25 million Americans — more than doubling the initial estimate of 10.5 million — after revised state filings in February 2026 revealed the full scope of data stolen by the SafePay ransomware group. The attackers spent 83 days inside Conduent's network between October 2024 and January 2025, exfiltrating approximately 8.5 terabytes of data including Social Security numbers, medical records, health insurance details, and Medicaid claims data from the company's government services infrastructure.

Texas alone accounts for 14.7 million affected individuals. Conduent, a $3 billion technology services company that processes Medicaid claims and benefit disbursements for 500+ government entities across 30+ states, began sending breach notification letters in October 2025 — nine months after discovering the intrusion, well beyond HIPAA's 60-day notification requirement.

What Was Stolen

Conduent provides back-end processing for state Medicaid agencies, health insurers, and corporate benefits programs. The stolen data reflects that breadth: full legal names, addresses, dates of birth, Social Security numbers, medical information including treatment and diagnosis codes, health insurance details, provider names, dates of service, claim amounts, and employment records.

The breach affected state agencies and private insurers including Blue Cross Blue Shield of Texas, Blue Cross Blue Shield of Montana, Premera Blue Cross, Humana, and corporate clients like Volvo Group North America.

"SSNs plus medical and insurance data enable long-tail identity theft, medical fraud, and highly targeted phishing that can haunt victims for years," wrote Pieter Arntz, malware intelligence researcher at Malwarebytes.

The Scale in Context

The Conduent breach is among the largest healthcare-related data breaches in U.S. history, though it trails the Change Healthcare breach of 2024, which affected 192.7 million individuals. What distinguishes Conduent is the population affected: Medicaid recipients and government benefits recipients — disproportionately low-income and vulnerable populations who may lack the resources to monitor for identity theft.

The breach fits a broader pattern. Healthcare breach frequency increased 112% in 2025 compared to 2024, with 842 large breaches reported to HHS. Third-party vendors were involved in 34% of healthcare breaches, and ransomware accounted for 79% of large incidents. The average healthcare breach now costs $10.93 million — the highest of any industry for 14 consecutive years.

Legal Fallout

Class Action Litigation

At least 10 federal class action lawsuits have been consolidated into In Re: Conduent Business Services Data Breach Litigation (Case No. 2:25-cv-16953) in the U.S. District Court for the District of New Jersey before Judge Michael E. Farbiarz. Plaintiffs allege negligence, breach of contract, and unjust enrichment, claiming Conduent stored sensitive information in unencrypted, internet-accessible environments and failed to implement basic security measures.

Texas Attorney General Ken Paxton launched a formal investigation in February 2026, adding state enforcement pressure to the federal litigation.

The HIPAA Notification Question

HIPAA's breach notification rule requires covered entities and business associates to notify affected individuals within 60 days of discovery. Conduent discovered the breach on January 13, 2025, but notifications didn't begin until October 24, 2025 — approximately nine months later.

"The damage could have already been done, given the timeline," said James E. Lee, president of the Identity Theft Resource Center.

The precedent for HIPAA enforcement at this scale is the Change Healthcare settlement: $126 million in HIPAA fines paid in 2025. With 25 million affected individuals and a significant notification delay, Conduent faces substantial regulatory exposure.

What This Means for Law Firms Handling Medical Records

The Conduent breach is a case study in third-party vendor risk — and a reminder that any organization handling medical records is only as secure as its weakest vendor.

Supply Chain Exposure

Conduent's breach didn't just affect Conduent. It cascaded across state Medicaid agencies, health insurers, and corporate benefits programs that relied on Conduent to process their data. For law firms, the lesson is direct: any vendor involved in medical records retrieval, claims processing, or document management represents a potential point of compromise.

Security analysts at Blacksmith Infosec noted that the breach demonstrates how "vendor due diligence based on SOC 2 reports and security questionnaires may provide false confidence" — Conduent had standard certifications, yet attackers operated inside the network for 83 days using legitimate credentials.

What Firms Should Verify

For any vendor handling medical records or client data, firms should verify: SOC 2 Type II certification with current audit reports, encryption at rest and in transit, role-based access controls with audit logging, incident response plans with defined notification timelines, and whether data is stored in shared or isolated environments. The Conduent breach shows that checking the box on security questionnaires is not enough — the operational reality matters.

The Bottom Line

The Conduent breach underscores a reality that every organization handling medical records must confront: the data is only as secure as the infrastructure it moves through. For law firms managing medical evidence across mass tort portfolios, personal injury cases, and litigation support, vendor security is not a compliance checkbox — it's a liability question.

The 25 million affected individuals, the nine-month notification delay, and the consolidated class action litigation are the consequences of treating data security as someone else's problem. For firms evaluating their own medical records workflows, the question is whether their vendors can demonstrate — not just claim — that sensitive data is encrypted, isolated, and monitored in real time.

Sources: Malwarebytes, IDStrong, AllAboutLawyer, Fortified Health Security, Identity Theft Resource Center, Blacksmith Infosec.