The HIPAA Guide - Celebrating Over 15 Years Online

Conduent Business Services Confirms 2024 Data Breach Affected 62.2 Million Individuals

June 8, 2026HIPAA News Today: Breaches, Violations, and Fines0

Conduent Business Services, a New Jersey-based provider of back-office services to healthcare organizations, identified a system intrusion on January 13, 2025. It has taken around 17 months for the scale of the data breach to be confirmed as affecting more than 62.2 million individuals.

The incident was first publicly disclosed in a filing with the U.S. Securities and Exchange Commission (SEC) in April 2025, when it was confirmed that hackers had breached its systems and had access to its servers for almost three months between October 21, 2024, and January 13, 2025. Data compromised in the incident included names, addresses, birth dates, Social Security numbers, medical information, and health insurance information.

While Conduent has not publicly disclosed the name of the group behind the attack, the SafePay ransomware group claimed responsibility and added Conduent to its dark web data leak site. The group claimed to have exfiltrated 8.5 terabytes of data and threatened to publish the stolen data if the ransom was not paid. SafePay did not follow through with that threat, which suggests payment was negotiated to prevent the release of the stolen data.

In the weeks following Conduent’s data breach disclosure, it became apparent that the company had experienced a massive data breach. Two state attorneys general were informed that more than 10 million individuals and 15 million individuals had been affected in Oregon and Texas alone. The HHS’ Office for Civil Rights was notified that approximately 42,000 individuals had been affected, although at the time, the investigation was ongoing. Conduent has now confirmed in an updated OCR notice that the electronic protected health information (ePHI) of more than 62.2 million individuals was potentially compromised in the incident. The OCR breach portal lists the incident as affecting 62,224,658 individuals.

The scale of the data breach is staggering and helps explain why it took 17 months from the detection of the breach to complete the review of the affected data and produce a final list of the affected individuals. The data breach ranks as one of the largest healthcare data breaches of all time, behind the 2024 data breach at the healthcare clearinghouse Change Healthcare, which affected an estimated 192.2 million individuals, and the 2015 data breach at the health insurer Anthem Inc., which affected approximately 78.8 million individuals.

The updated total takes the annual healthcare data breach total past 139 million individuals for 2025 – the third successive year where the ePHI of more than 100 million individuals was breached. Last year was already the worst ever year for healthcare data breaches, with 772 breaches affecting 500 or more individuals reported to OCR, and currently, 2025 ranks as the third-worst year in terms of breached healthcare records.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

The mandatory additional security measures proposed by OCR in its Notice of Proposed Rulemaking updating the HIPAA Security Rule attracted a considerable amount of criticism from industry groups and health systems. These figures clearly show why changes are needed, as the voluntary cybersecurity performance goals proposed by OCR have proven to be insufficient by themselves at reducing the number and scale of healthcare data breaches.

February 26, 2026: Conduent Data Breach: More Than 25M Individuals Affected

The scale of the Conduent Business Services data breach is becoming clearer as the investigation into the cyberattack progresses. While it was already clear that this was a major data breach, Conduent has not publicly confirmed exactly how many individuals have been affected. The Oregon Attorney General was informed that 10.5 million individuals had been affected, and it is now clear that the data breach is several orders of magnitude bigger.

The Texas Attorney General was informed that more than 14 million Texas residents had been affected, and the total was later increased to 15,494,592 individuals in Texas alone. That puts the running total at more than 25 million individuals. Conduent worked with HIPAA-regulated entities across the country, so the total is likely to grow even larger. Conduent provides a range of back-office services to healthcare providers, health plans, and government entities, including printing and mailing services, payment integrity audits, and front-end digitization services. In order to provide those services, Conduent requires access to personal and protected health information, and is a business associate of HIPAA-covered entities.

Conduent identified unauthorized access to its systems, and the forensic investigation revealed that the source of the intrusion was compromised VPN credentials. Once its systems were accessed, the threat actor moved laterally, identified and exfiltrated sensitive data, then encrypted files using ransomware. A ransom demand was issued, payment of which was required to prevent the publication of the stolen data and obtain the decryption keys. It is unclear if the ransom was paid or if Conduent was able to recover the encrypted data from backups.

While Conduent did not state which threat group was behind the attack, responsibility for the attack was claimed by the SafePay ransomware group. Data compromised in the attack included names, addresses, Social Security numbers, health insurance details, and medical information. Currently, the OCR data breach portal lists the Conduent data breach as affecting 42,616 individuals.

The data breach has certainly attracted the attention of regulators. OCR investigates all data breaches affecting 500 or more individuals and has stated previously that it will be prioritizing the most impactful data breaches.  An OCR investigation to determine if Conduent was compliant with the HIPAA Rules will certainly be conducted; however, a company that experiences a data breach, even one as large as this, has not necessarily failed to implement reasonable and appropriate safeguards, and may be fully HIPAA-compliant.

In February, Texas Attorney General Ken Paxton wrote to Conduent demanding answers about the data breach, which he claimed could be the largest healthcare data breach in history. The data breach is unlikely to take that unwanted crown from Change Healthcare, as its 2024 data breach affected 192.7 million individuals, but it could potentially be bigger than the second-largest healthcare data breach, which was reported by Anthem Inc in 2025, and affected 78.8 million individuals; however, even that seems unlikely.

AG Paxton issued investigative demands to Conduent Business Services and one of its affected clients, Blue Shield Blue Cross of Texas (BCBST), to obtain documentation and information pertinent to the Conduent data breach of 4 million BCBST members. “If any insurance giant cut corners or has information that could help us prevent breaches like this in the future, I will work to uncover it,” said Attorney General Paxton. “Texans deserve to know that their private health information is being handled responsibly and in full compliance with the law. My office is committed to uncovering exactly what went wrong, taking action to protect Texas families, and ensuring there is justice for any negligence.” Prior to AG Paxton’s announcement, Montana Attorney General Austin Knudsen announced that his office was investigating the data breach, which is known to have affected 462,000 Blue Cross Blue Shield of Montana plan members.

“From the outset of this incident, we acted promptly and in alignment with incident response protocols to contain and investigate the issue,” explained a Conduent spokesperson. “ To date, there is no evidence that any affected data has been misused, posted, or made publicly available, and the company continues to monitor that closely.”

October 29, 2025: 10.5 Million Americans Affected by Conduent Business Services Data Breach

Earlier this year, Conduent Business Services LLC, a government contractor and business associate of HIPAA-covered entities, experienced a cyberattack; however, the extent of the data breach has only now been learned. According to the breach notice provided to the Oregon Attorney General, 10,515,849 individuals have been affected.

In April 2025, Conduent Inc., the parent company of Conduent Business Services, announced the incident in a filing with the U.S. Securities and Exchange Commission (SEC). Conduent explained that it experienced operational disruption starting on January 13, 2025. Conduent was able to restore its systems and resume normal operations within a few days, and said the incident did not have a material impact on its business operations. In its first quarter earnings report, Conduent said the direct breach response costs had reached $25 million.

An unauthorized third party had access to its systems for around three months from October 21, 2024, to January 13, 2024, and Conduent had previously said that “a significant number” of its clients and their customers had been affected. Conduent has been reviewing the affected files and has only recently started notifying state Attorneys General about the scale of the data breach.  It has taken months to complete the review due to the complexity of the data.

Conduent has not published a list of all of the affected customers, but Blue Cross and Blue Shield of Montana has confirmed that 462,000 of its members were affected. Premera Blue Cross and Humana were also impacted by the data breach, although they have not yet disclosed how many of their customers had data compromised in the incident. The types of data involved vary from customer to customer, and may include names, Social Security numbers, health information, and claims information.  Based on the notices published so far, this is already the largest healthcare data breach of the year.

The Department of Health and Human Services Office for Civil Rights should have been informed about the data breach; however, the OCR data breach portal has not been updated since September 24, 2025, due to the government shutdown, so the data breach is not currently listed. At more than 10.5 million individuals, this is by far the largest healthcare data breach to be announced so far in 2025, and it ranks as the eighth-largest healthcare data breach of all time.

 

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.