Conduent Breach Confirmed to Have Exposed Data of 62.2 Million People

A back-office vendor most victims never heard of

The personal data of more than 62.2 million people was exposed in a 2024 ransomware attack on Conduent Business Services, the company has now confirmed, making it one of the largest breaches in U.S. history.hipaajournal Conduent is not a household name, but it processes printing, mailroom, payment and back-office work for state benefit programs, large employers and major health insurers, with services that the company says reach more than 100 million people.techcrunch Hackers sat inside its network from October 21, 2024, until the intrusion was detected on January 13, 2025, exfiltrating files tied to dozens of clients.hipaajournal

Social Security numbers and medical records swept up

The stolen information varies by individual but includes names, dates of birth, addresses, Social Security numbers, health insurance details and medical records.hipaajournal The SafePay ransomware group claimed responsibility and said it took roughly 8.5 terabytes of data, threatening to publish it unless a ransom was paid.hipaajournal Conduent maintains there is no evidence the data has been misused, posted or made publicly available.hipaajournal

The victim count climbed for more than a year as Conduent fed updated figures to state regulators. Notices to the Texas attorney general alone grew from about 4 million people to more than 15.4 million, while Oregon's filings accounted for another 10.5 million.hipaajournal Affected clients include health insurers Humana, Premera Blue Cross, and Blue Cross and Blue Shield plans in Texas and Montana, along with corporate employers such as Volvo Group North America, which said nearly 17,000 of its workers were exposed.hipaajournal +1

Regulators circle as the cleanup drags

Texas Attorney General Ken Paxton, who opened an investigation, called it "likely the largest breach in U.S. history," though it still trails the 2024 Change Healthcare attack that hit roughly 190 million people.hipaajournal +1 Conduent disclosed the incident in an April 2025 securities filing and estimated about $25 million in response costs, much of it expected to be covered by cyber insurance, even as class-action lawsuits mounted in New Jersey federal court.hipaajournal

The company's handling of notifications has drawn criticism. Conduent published an "Incident Notice" online but embedded a hidden "noindex" tag instructing search engines not to list the page, making it harder for affected people to find.techcrunch Those notified were offered free credit monitoring through Epiq, with some enrollment deadlines set for April 30, 2026.gizmodo More than a year after the intrusion, Conduent says it still cannot confirm the full scale of the breach.hipaajournal