TL;DR: Government technology contractor Conduent got hit by a ransomware attack in January 2025. First they said it affected 4 million people. Then 10 million. Now, as of February 5, 2026, the confirmed count has ballooned to at least 26 million Americans: 15.4 million in Texas alone, 10.5 million in Oregon, plus hundreds of thousands more across Delaware, Massachusetts, New Hampshire, and other states. The stolen data includes Social Security numbers, medical records, and health insurance details. Conduent handles Medicaid, food assistance, child support, and toll collection for state governments. The SafePay ransomware group claims it stole over 8 terabytes of data. Conduent still hasn't finished notifying victims, more than a year after the attack.
The Number Keeps Growing
Here's a number that should concern you: Conduent's technology touches more than 100 million Americans through government healthcare programs. The company processes $85 billion in annual disbursements and handles over 2 billion customer interactions per year [1].
When the ransomware attack hit in January 2025, Conduent initially downplayed the scope. Systems went offline for several days, disrupting government services across multiple states. By April 2025, the company publicly acknowledged a "cybersecurity incident." At that point, they estimated about 4 million Texans were affected [2].
That number quadrupled.
As of February 5, 2026, state attorney general filings show the confirmed victim count at at least 25.9 million:
- Texas: 15.4 million, roughly half the state's entire population [1]
- Oregon: 10.5 million, effectively the entire state [3]
- Delaware, Massachusetts, New Hampshire, Washington, South Carolina, Maine, California: Hundreds of thousands combined [4]
And Conduent still hasn't finished its "detailed analysis of the affected files." The number could go higher.
What They Lost
This isn't a breach where someone grabbed your email and a hashed password. The data Conduent handed to attackers is the kind that ruins lives:
- Social Security numbers
- Medical records
- Health insurance information
- Names, dates of birth, and personal identifiers
Social Security numbers don't change. Medical records are permanent. Once this data is out, it's out forever. And because Conduent handles government programs, the people affected are disproportionately those who depend on public assistance: Medicaid recipients, SNAP beneficiaries, families in the child support system [4].
These are people who already have fewer resources to fight identity theft.
Who Is Conduent?
Unless you work in government IT, you've probably never heard of Conduent. That's the problem.
Conduent is a Florham Park, New Jersey-based contractor that runs critical backend systems for state and federal government agencies. The systems you interact with when you apply for Medicaid, receive food assistance through SNAP, process child support payments, or pay highway tolls, there's a decent chance Conduent is handling the data behind the scenes [4].
You didn't choose to give Conduent your Social Security number. Your state government chose for you. You probably didn't know Conduent existed until they lost your data.
That's the fundamental problem with government outsourcing. Citizens have no say in which contractor handles their most sensitive information, no ability to opt out, and no direct relationship to demand accountability when things go wrong.
The SafePay Attack
The SafePay ransomware group claimed responsibility for the attack. They say they infiltrated Conduent's network starting October 21, 2024, and maintained access until January 13, 2025, nearly three months of undetected presence inside the company's systems [3][4].
SafePay claims to have exfiltrated over 8 terabytes of data. For context, that's enough storage for the complete personal files of millions of individuals: medical histories, government benefit records, financial details, everything.
Conduent discovered the breach on January 13, 2025, when the ransomware finally triggered and disrupted operations. The attackers had been inside for 84 days. Whatever security monitoring Conduent had in place didn't catch three months of data exfiltration from systems holding some of the most sensitive information the government collects [2].
A Year of Silence
The timeline tells you everything about Conduent's priorities:
- October 21, 2024: Attackers enter Conduent's network
- January 13, 2025: Ransomware triggers, services disrupted, breach discovered
- April 2025: First public acknowledgment, three months after discovery
- October 2025: Initial report estimates 4 million Texans affected
- December 31, 2025: Notification letters sent, nearly a year after the breach [3]
- February 5, 2026: Victim count revised upward to 26 million+
Victims started receiving letters in early February 2026. Some people whose Social Security numbers were stolen in January 2025 didn't find out until thirteen months later.
When TechCrunch asked Conduent spokesperson Sean Collins for specifics, he declined to confirm the total number affected or answer detailed questions about the breach scope. The company's position is that it's still conducting a "detailed analysis of the affected files" [1].
A year into that analysis, they still don't have a final count. Or they do and they're not sharing it.
Texas AG Opens Investigation
On February 12, 2026, Texas Attorney General Ken Paxton issued Civil Investigative Demands (CIDs) to both Conduent and Blue Cross Blue Shield of Texas. Paxton is demanding documents related to Conduent's security practices, breach response, and compliance with Texas data protection laws [6].
The investigation is examining whether BCBS Texas, which used Conduent to process Medicaid claims, "cut corners" on data protection requirements. With 15.4 million Texans affected, it could be the largest state-level data breach investigation in history.
Paxton's office hasn't indicated whether criminal referrals are being considered, but the CID process gives his team subpoena power to compel testimony and document production.
The Lawsuits Are Piling Up
At least ten federal class action lawsuits have been filed against Conduent in the U.S. District Court for the District of New Jersey, consolidated under multiple law firms including Lite DePalma Greenberg & Afanador, Milberg, and Wolf Haldenstein [3].
Plaintiffs are seeking class certification, compensatory damages, and injunctive relief. The litigation argues that Conduent failed to implement adequate security measures despite handling some of the most sensitive data the government collects.
At 10.5 million confirmed records exposed in Oregon alone, this ranks as one of the largest healthcare data breaches in U.S. history. The full 26 million+ figure could place it among the top five ever [3].
The Government Contractor Pattern
This isn't an isolated incident. Government contractors handling sensitive citizen data keep getting breached, and the pattern is always the same:
- A private company wins a government contract to handle sensitive data
- Security investment doesn't match the sensitivity of the data
- A breach occurs, often with months of undetected access
- The company takes months to notify victims
- Citizens who never chose this company face the consequences
Sedgwick Government Solutions, another contractor, got hit by ransomware while handling ICE and DHS data. The healthcare sector has been under relentless attack, with ransomware incidents reaching epidemic levels. And Conduent isn't a small, underfunded operation: it's a multibillion-dollar company processing $85 billion annually.
If a company that handles more transactions than most banks can't keep ransomware operators out for three months, what does that say about the rest of the government contractor supply chain?
What You Should Do
If you've received Medicaid, SNAP, child support, or other state government services in Texas, Oregon, Delaware, Massachusetts, New Hampshire, Washington, South Carolina, Maine, or California, your data may be compromised. Even if you haven't received a notification letter:
- Freeze your credit. Call all three bureaus: Equifax (800-349-9960), Experian (888-397-3742), TransUnion (888-909-8872). A credit freeze is free and prevents anyone from opening accounts in your name.
- Monitor your medical records. Request your medical records from your healthcare provider and check for services you didn't receive. Medical identity theft is harder to detect than financial fraud.
- File an IRS Identity Protection PIN. If your SSN was exposed, get an IRS Identity Protection PIN to prevent tax fraud.
- Watch for fraudulent government benefit claims. Stolen Medicaid and SNAP data can be used to file false benefit claims in your name.
- Check HaveIBeenPwned. Troy Hunt's Have I Been Pwned tracks breach datasets. Check if your email or data appears.
- Consider identity theft protection. Conduent is offering identity monitoring services to affected individuals. Take them up on it: they owe you that much.
The Real Cost
Conduent will pay settlements. They'll hire a crisis PR firm. They'll promise better security. The stock price will dip and recover.
The 26 million Americans whose Social Security numbers and medical records are now in a ransomware gang's hands don't get that option. They get to spend the rest of their lives watching for identity theft, medical fraud, and tax scams.
They never signed up for Conduent. They signed up for Medicaid. For food assistance. For child support. The government chose Conduent on their behalf, and Conduent failed them.
That's the cost of outsourcing public services to the lowest bidder.
Sources
- TechCrunch: Data breach at govtech giant Conduent balloons, affecting millions more Americans (February 5, 2026)
- Mezha: Massive Data Breach at Conduent Exposes Millions Across US States (February 2026)
- Top Class Actions: 10.5M records exposed: Conduent faces massive litigation (February 2026)
- Fox News: 10 million Americans hit by government contractor data breach (February 2026)
- HIPAA Journal: Conduent Business Services Data Breach Victim Count Swells to Over 25M (February 2026)
- Texas Attorney General: AG Paxton Demands Information from BCBS Texas and Conduent (February 12, 2026)
Published: February 6, 2026 | Updated: February 28, 2026