What started as a data breach affecting millions has spiraled into one of the largest cybersecurity incidents in U.S. history. Over 25 million Americans are now confirmed to be impacted by the ransomware attack at Conduent, a New Jersey-based business services company that handles medical billing, claims processing, and government benefit payments for millions of people across the country.
The breach occurred between October 21, 2024, and January 13, 2025, when an unauthorized party accessed Conduent's systems. The SafePay ransomware group claimed responsibility and stole 8.5 terabytes of data, threatening to release it publicly unless a ransom was paid. What made this especially serious: the data included names, Social Security numbers, medical records, and health insurance details tied to patients of Blue Cross Blue Shield of Texas, Blue Cross Blue Shield of Montana, Premera Blue Cross, Humana, and multiple state Medicaid programs.
The victim count kept climbing in shocking ways. New Hampshire initially reported nearly 11,000 affected residents in October 2025, but by February 17, 2026, that number had soared to over 181,000. Texas jumped from 4 million to 15.4 million. Oregon hit 10.5 million. The numbers kept expanding as Conduent and affected companies dug deeper into what was actually stolen.
At least 10 federal class action lawsuits have been filed against Conduent, with cases consolidated in U.S. District Court in New Jersey. Plaintiffs argue that Conduent failed to implement basic security measures required under HIPAA and state law. Meanwhile, Texas Attorney General Ken Paxton announced his office launched an investigation into Conduent Business Services, stating the breach could potentially be the largest healthcare data breach in U.S. history. Other state attorneys general, including those in Oregon and Montana, are also pressing for answers about notification delays and security failures.
Consumer notifications began in October 2025 and are expected to continue through mid-April 2026. Conduent is offering free credit monitoring to affected individuals, with a deadline of March 31, 2026, to enroll. The company says it found no evidence of actual misuse of the data so far, but has set up a dedicated call center to handle consumer inquiries and coordinate notifications with its government and corporate clients. No settlement exists yet—for now, litigation and investigations continue while millions of Americans wait to learn if their personal information will be misused.