Active breach tracker Florham Park, NJ Disclosed October 8, 2025

Conduent Business Services LLC Data Breach 2025: 42,616 on OCR (10.5M-25M+ Total) After SafePay Ransomware Attack on Government & Health-Plan BPO

Conduent Business Services LLC, a New Jersey-based business associate and BPO contractor for Blue Cross plans, Humana, and state agencies, filed a HIPAA breach notification with HHS OCR on October 8, 2025 for 42,616 individuals. The figure is a placeholder. Reporting and state filings now place the actual scope at 10.5 million confirmed and an internal estimate of 25 million or more, after the SafePay ransomware group claimed 8.5 TB of stolen data from an intrusion that ran October 21, 2024 to January 13, 2025.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 21, 2024

Unauthorized third party gains access to Conduent's network (per forensic investigation)

Jan 13, 2025

Conduent detects operational disruption, contains intrusion, begins forensics

Feb 13, 2025

SafePay ransomware group claims attack on dark-web leak site; claims 8.5 TB exfiltrated

Apr 14, 2025

Conduent first publicly discloses the cyber incident in regulatory filings

Oct 8, 2025

Initial HIPAA breach report filed with HHS OCR listing 42,616 affected individuals (placeholder)

Oct 8, 2025

Disclosed publicly

Oct 15, 2025

Individual notification letters begin mailing; state AG filings in CA, DE, IN, ME, MA, NH, VT, OR, TX

Nov 10, 2025

First putative class actions filed; multiple suits consolidated in U.S. District Court for the District of New Jersey

Feb 5, 2026

Texas AG figure rises from 4M to 15.4M; Oregon AG records 10.5M residents

Feb 24, 2026

Conduent's internal estimate places total impact at 25 million or more individuals

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth Social Security number

02

Health records

Don't expire and can't be reissued

Medical / treatment information

03

Contact & insurance

Phishing + targeted scams

Full name Home address Health insurance information Claims information

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Schubert Jonckheer & Kolbe LLP The Lyon Firm Milberg Coleman Bryson Phillips Grossman Federman & Sherwood
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

Conduent Business Services LLC, the Florham Park, New Jersey-headquartered business-process outsourcing arm of NASDAQ-listed Conduent Incorporated (CNDT), filed a HIPAA breach notification with HHS OCR on October 8, 2025 for 42,616 individuals. That number is a placeholder. Conduent’s own state attorney general filings, federal court filings, and earnings disclosures now place the true scope at 10.5 million confirmed and an internal estimate of 25 million or more, making this one of the largest healthcare-related data exposures of 2025. The intrusion was claimed by the SafePay ransomware group, which says it exfiltrated 8.5 terabytes of data during the 84-day dwell period from October 21, 2024 to January 13, 2025. Conduent runs printing, mailroom, document processing, payment integrity, and claims administration for several Blue Cross Blue Shield plans, Humana, and multiple state human services agencies, which is why the impact cascades across so many downstream entities.

Timeline of what we know

  • October 21, 2024 — Forensic investigation later places unauthorized access to Conduent’s network starting on this date. The threat actor maintained access for roughly 84 days before detection.
  • January 13, 2025 — Conduent detects an “operational disruption” affecting parts of its network, contains the intrusion, and begins incident response. This is the date used as discovery for regulatory purposes.
  • February 2025 — The SafePay ransomware group publicly claims the attack on its dark-web leak site, threatening to publish approximately 8.5 TB of stolen data if a ransom is not paid.
  • April 14, 2025 — Conduent first publicly discloses the cyber incident in regulatory filings, months after detection.
  • May 2025 (Q1 earnings) — Conduent reports approximately $9 million in direct breach-response costs incurred to date and projects another $16 million by Q1 2026.
  • October 8, 2025 — Initial HIPAA breach report filed with HHS OCR, listing 42,616 affected individuals. This is a placeholder used while forensic review and per-client attribution continue.
  • October 15, 2025 onward — Individual notification letters begin mailing. State attorney general filings appear in California, Delaware, Indiana, Maine, Massachusetts, New Hampshire, Vermont, Oregon, and Texas, with widely varying victim counts per state.
  • November 2025 — Putative class actions begin filing in federal court. Most are consolidated in the U.S. District Court for the District of New Jersey, the entity’s home district.
  • February 5, 2026 — Texas Attorney General records show the Texas-resident count rising from an initial 4 million to 15.4 million. Oregon Attorney General records show 10.5 million Oregon-recorded individuals.
  • February 24, 2026 — Internal estimates reported by TechCrunch and others place the total affected count at 25 million or more individuals nationwide.

What was exposed

Per state attorney general filings and class-action complaints, the files accessed during the intrusion contained, depending on the individual and the underlying client relationship:

  • Full name and home address
  • Date of birth
  • Social Security number
  • Health insurance information
  • Treatment and medical information
  • Claims information

Not every data element was present for every affected person. Because Conduent processes claims and benefit paperwork for multiple Blue Cross plans, Humana, Premera, and several state agencies, the specific combination of fields exposed varies by which client’s workflow your record sat in.

Who notifies you (business-associate posture)

Conduent is a HIPAA business associate, not a covered entity. Notification responsibility therefore depends on the underlying contract:

  • For most of its health-plan clients (Blue Cross Blue Shield of Montana, Blue Cross and Blue Shield of Texas, Humana, Premera Blue Cross), the plans themselves are issuing some of the notices to their members. You may receive a letter on Conduent letterhead, on the health plan’s letterhead, or both.
  • For its state human services clients (Wisconsin Department of Children and Families, Oklahoma Human Services), the state agency typically handles direct notification to program participants.
  • For its employer clients (Volvo Group, with roughly 17,000 employee records exposed), the employer’s HR or benefits team handles notification.

If you have ever had health insurance through, or filed a claim with, any of the entities listed above between roughly 2020 and 2025, your data may have been in Conduent’s environment regardless of whether you have a direct relationship with Conduent.

Downstream clients confirmed exposed

Reporting from SecurityWeek, BankInfoSecurity, HIPAA Journal, and state AG filings has confirmed the following downstream entities had member, patient, or employee data in the breached Conduent environment:

  • Blue Cross Blue Shield of Montana
  • Blue Cross and Blue Shield of Texas
  • Premera Blue Cross
  • Humana
  • Wisconsin Department of Children and Families
  • Oklahoma Human Services
  • Volvo Group (employee benefits records, approximately 17,000 individuals)

This list is not exhaustive. Conduent serves a large book of state Medicaid, child support, transit, and benefit-administration clients, and additional downstream entities continue to surface in state AG filings.

Class-action and regulatory posture

At least ten putative class actions have been filed against Conduent and consolidated in the U.S. District Court for the District of New Jersey, where Conduent is headquartered. The complaints allege negligence, breach of implied contract, breach of fiduciary duty, and violations of state consumer protection statutes, and seek damages plus injunctive relief requiring Conduent to implement a comprehensive information security program. Plaintiffs’ firms publicly investigating or representing class members include Schubert Jonckheer & Kolbe, The Lyon Firm, Milberg Coleman Bryson Phillips Grossman, and Federman & Sherwood.

The HHS Office for Civil Rights investigation is open. Multiple state attorneys general are also investigating, including Missouri, which has publicly accused Conduent of stonewalling its investigation, and Montana, whose investigation of Blue Cross Blue Shield of Montana (a Conduent client) has been allowed to proceed by court order. Conduent has offered affected individuals two years of complimentary credit monitoring and identity restoration services through a third-party provider, with an enrollment deadline of March 31, 2026. Accepting the credit monitoring does not waive participation in the consolidated class action.

What to do if you may be affected

Treat this as a high-severity exposure. Social Security numbers, dates of birth, and health-insurance details have been in the hands of a ransomware actor for more than a year, and SafePay has demonstrated willingness to publish stolen data:

  1. Freeze your credit at all three bureaus. Equifax, Experian, and TransUnion. It is free, takes about ten minutes per bureau, and blocks new-account fraud cold. This is the single highest-leverage step when SSNs are exposed.
  2. Enroll in the two-year credit monitoring Conduent is offering if you receive a notification letter. The deadline is March 31, 2026. Enrollment does not waive class-action rights.
  3. Request an IRS Identity Protection PIN (IP PIN) at irs.gov/ippin. It prevents fraudulent federal returns filed under your SSN. Tax-refund fraud is a leading attack pattern after SSN breaches.
  4. Watch your Explanation of Benefits statements from your health insurer. Look for visits, prescriptions, or procedures you did not receive. Medical identity theft is harder to unwind than financial fraud.
  5. Be skeptical of phone, text, and email outreach that references your insurer, claims, or “Conduent.” Threat actors routinely follow large breaches with targeted phishing using leaked identifiers. Legitimate notification letters arrive by U.S. mail and never ask for your full SSN or bank details to “verify” enrollment.
  6. If you have minor children covered under any affected plan, check their credit reports as well. Children’s SSNs are valuable to fraudsters because the theft often goes undetected until they apply for credit as adults.
  7. Save your notification letter. It contains a unique enrollment code and may serve as proof of exposure if you opt into the consolidated class action in the District of New Jersey.

Sources

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.