TL;DR:
- 25+ million Americans exposed in what Texas AG Ken Paxton calls "likely the largest breach in U.S. history"[3]
- Most victims never interacted with Conduent directly. The company processes Medicaid, SNAP, child support, and toll payments for 46 states[1]
- Attackers spent nearly 3 months inside (Oct 21, 2024 – Jan 13, 2025), stealing 8 terabytes including SSNs, medical records, and health insurance data[5]
- Texas: 15.4 million affected. Oregon: 10.5 million. Numbers keep growing as more states investigate[2]
- Conduent waited 9 months to notify victims: breach discovered January 2025, letters sent October 2025[4]
The Company You've Never Heard Of
You've probably never heard of Conduent. That's by design.
The company operates behind the scenes of American public services. It processes $85 billion in annual disbursements across 46 states.[1] If you've received Medicaid, SNAP benefits, unemployment checks, or child support payments, your personal data likely flowed through Conduent's systems.
Conduent handles:
- Medicaid enrollment and claims processing
- SNAP (food stamps) benefits distribution
- Child support payment processing
- Unemployment insurance disbursements
- Toll collection and DMV services
- Corporate HR and payroll for Fortune 100 companies
The company serves approximately 100 million residents.[1] Most have no idea their data sits in Conduent's databases. They found out in October 2025, when breach notification letters started arriving.
Three Months, Nobody Noticed
The SafePay ransomware gang broke into Conduent's systems on October 21, 2024.[5]
For the next 84 days, attackers roamed through the network. They exfiltrated approximately 8 terabytes of data, roughly 8 million documents, or 8,000 gigabytes of sensitive records.[5]
Conduent didn't notice until January 13, 2025.[5]
What was stolen:
- Full names and Social Security numbers
- Dates of birth and home addresses
- Medical records and treatment information
- Health insurance details
- Medicaid and benefits enrollment data
This isn't just identity theft material. It's the complete picture needed to impersonate someone for medical fraud, benefits theft, or targeted scams.
The Numbers Keep Growing
When Conduent first disclosed the breach, early estimates suggested 4 million affected in Texas.
That number is now 15.4 million Texans.[2]
Oregon holds steady at 10.5 million. Together, just two states account for most of the 25+ million confirmed victims. But Conduent operates in 46 states. More notifications are expected.[2]
Texas Attorney General Ken Paxton launched an investigation in February 2026, calling it "likely the largest breach in U.S. history."[3] He issued Civil Investigative Demands to both Conduent and Blue Cross Blue Shield of Texas.
"Texans deserve to know that their private health information is being handled responsibly and in full compliance with the law," Paxton said. "If any insurance giant cut corners...I will work to uncover it."[3]
Nine Months to Tell You
Here's the timeline:
- October 21, 2024: Attackers break in[5]
- January 13, 2025: Conduent discovers the breach[5]
- February 2025: SafePay ransomware group claims responsibility
- October 2025: Notification letters finally start going out[4]
Nine months. For nine months, 25+ million Americans had no idea their SSNs, medical records, and health insurance data had been stolen.[4]
State breach notification laws typically require disclosure within 30-60 days. Conduent took nine months. The company claims it needed time to investigate the scope, but victims needed time to freeze their credit and monitor for fraud.
Are You Affected?
Here's the frustrating part: you might never have directly interacted with Conduent. Your data got there through state benefit programs, health insurers, or corporate HR systems.
You may be affected if you:
- Received Medicaid or CHIP benefits in any state
- Used SNAP (food stamps) benefits
- Received child support payments
- Collected unemployment insurance
- Work for a company that outsources HR or payroll
- Have insurance through Blue Cross Blue Shield in Texas
Steps to take now:
- Freeze your credit at all three bureaus (Equifax, Experian, TransUnion). This is free and stops new accounts from being opened.
- Check for notification letters, but don't wait for one. Conduent's notification process has been slow.
- Monitor explanation of benefits statements for medical services you didn't receive.
- Review your credit reports at AnnualCreditReport.com.
- Enroll in credit monitoring if you receive a breach letter. Conduent offers two years free. Enrollment deadline: March 31, 2026.
The Invisible Data Processor Problem
This breach illustrates a fundamental privacy problem: your data flows through companies you've never heard of.
You signed up for Medicaid through your state's website. The state contracted with Conduent to process claims. Conduent stored your SSN, medical records, and health insurance details. Hackers stole it. You never knew Conduent existed.
This is the third-party data processor problem. Companies like Conduent handle sensitive data for government agencies and large corporations. When they get breached, millions of people who never chose to do business with them become victims.
It's not just Conduent. Data flows through cascading chains of contractors, subcontractors, and service providers. Each handoff creates risk. Each company is a potential breach target.
You can't opt out of having your data processed by companies you've never heard of. If you want government benefits, you accept whatever contractors the government chose. If you want health insurance, you accept your insurer's data processing partners.
What Happens Now
Texas is investigating. Class action lawsuits are likely. But that won't un-steal your data.
25 million Americans now have their SSNs, medical records, and personal details circulating in criminal markets. That data will be used for:
- Identity theft and credit fraud
- Medical identity theft (billing fake procedures to your insurance)
- Tax fraud (filing fake returns with your SSN)
- Benefits theft (redirecting government payments)
- Targeted phishing and scam calls
The breach happened over a year ago. The data has had plenty of time to spread.
Freeze your credit. Watch your accounts. And remember: somewhere out there, a company you've never heard of has your data. It probably has less security than you'd like.
Sources
- TechCrunch: Data breach at govtech giant Conduent balloons, affecting millions more Americans
- Malwarebytes: The Conduent breach; from 10 million to 25 million (and counting)
- Texas Attorney General: Ken Paxton Demands Information from BCBS and Conduent
- IDStrong: Conduent Data Breach 2025–2026: 25 Million Affected
- Cybersecurity News: Conduent Data Breach - Ransomware Group Stolen 8 TB of Data
Published: March 16, 2026