Conduent Business Solutions LLC, a major U.S. business services and back-office contractor for healthcare and government programs, disclosed a massive data breach that has exposed the personal information of approximately 10.5 million individuals — making it the eighth-largest healthcare data breach on record in the United States.
According to regulatory filings and breach disclosures, attackers gained unauthorized access to Conduent’s systems late in 2024, with the intrusion continuing undetected for several months before discovery in January 2025. The stolen data includes names, Social Security numbers, dates of birth, medical information and health insurance details tied to numerous state Medicaid and healthcare insurance clients.
Conduent’s services include processing benefits, claims and eligibility for public-sector health programs and private insurers — a role that placed vast amounts of highly sensitive data at risk. Investigators believe the attackers maintained access from October 21, 2024 to January 13, 2025, during which time roughly 8.5 terabytes of data were exfiltrated.
Legal and Financial Fallout Looms
The breach has spawned a growing legal backlash. At least nine federal class-action lawsuits have been filed in New Jersey against Conduent, claiming negligence in safeguarding personal and protected health information, delayed breach detection, and tardy notifications to affected individuals.
Conduent has already incurred tens of millions of dollars in response costs. According to filings, the company spent around $9 million on incident responses by September 2025, with an additional $16 million expected to be disbursed by early 2026 for notifications, forensic investigations, and regulatory compliance. Cyber-insurance policies are expected to offset some of these costs.
Regulatory and government agencies in several states — including Montana and Texas — are probing the breach’s impact on state residents, with concerns that delayed disclosure may have exposed victims to prolonged risks. Some affected services, such as child support payment systems, experienced operational disruptions tied to the breach.
Risks for Affected Individuals and Recommended Safeguards
While Conduent has stated there is no confirmed misuse of the stolen data so far, the exposure of Social Security numbers and medical records significantly heightens the risk of identity theft, insurance fraud and financial exploitation for those affected.
Security experts and consumer advocates are urging affected individuals to take immediate protective steps, including:
- Monitor credit reports regularly with all major credit bureaus.
- Place fraud alerts or credit freezes to restrict unauthorized credit activity.
- Be vigilant for phishing or scam attempts that could exploit exposed personal details.
These steps are essential because, unlike passwords or financial account numbers, medical and identity data cannot be reset once stolen.
Broader Implications for Cybersecurity and Healthcare Data
The Conduent breach underscores systemic vulnerabilities within third-party vendors handling sensitive healthcare information. Because Conduent processes data on behalf of states, insurers and government health programs, a single breach has cascading effects across multiple sectors.
Cybersecurity analysts say the incident highlights the need for more robust vendor risk management, continuous monitoring and improved breach detection systems — particularly for companies entrusted with protected health information. As legal actions mount and regulatory scrutiny increases, the breach could have long-term repercussions for Conduent’s reputation, financial performance and client relationships.
