Sign In

Forgot your password? Sign Up

The Conduent Breach: 25+ Million Americans Exposed by a Company You've Never Heard Of

Apr 20

The largest third-party data breach in U.S. history is still unfolding. Here's what happened and what to do if your information was exposed.

The short version

In January 2025, the SafePay ransomware gang spent roughly three months inside the network of Conduent Business Services, a behind-the-scenes contractor that processes Medicaid, SNAP, and corporate HR data for state governments and Fortune 100 companies. They walked out with 8.5 terabytes of data.

A year later, what Conduent first described in SEC filings as affecting "a limited number of users" has ballooned to over 25 million Americans. The Texas Attorney General has called it the largest data breach in U.S. history. Most victims have never heard of Conduent.

Who is Conduent and why do they have your data?

Conduent is a $3 billion government technology contractor that handles the unglamorous back-office work keeping state and federal programs running. As of 2019, they said their systems supported services for over 100 million people and a majority of Fortune 100 companies.

Their client list for this breach includes:

  • State benefit programs (Medicaid, SNAP) in more than 30 states
  • Blue Cross Blue Shield of Texas and other major health insurers
  • Volvo Group (17,000 employees confirmed affected)
  • Unnamed Fortune 100 employers who outsource HR and claims processing

The notification letters do not specify which client sent your data to Conduent. Millions of people are getting letters from a company they've never done business with.

What was stolen

  • Full legal names, addresses, dates of birth
  • Social Security numbers
  • Medical records and treatment history
  • Health insurance and claims data
  • Government benefit program identifiers

This is not a password breach. SSNs are permanent. Medical histories are permanent. Once this data is in criminal hands, it stays useful for years.

The timeline

  • Oct 21, 2024: Hackers gain access to Conduent's network
  • Jan 13, 2025: Intrusion detected after three months of access
  • Feb 2025: SafePay claims responsibility, threatens to leak 8.5 TB
  • April 2025: Conduent discloses the breach in an SEC 8-K, calling the scope limited
  • Oct 2025: Notification letters begin arriving
  • Feb 2026: Texas victim count surges to 15.4 million. National total exceeds 25 million
  • Mar 30, 2026: Conduent confirms a separate new unauthorized access incident
  • April 15, 2026: Target date to complete notifications
  • April 30, 2026: Deadline to enroll in free credit monitoring

Why this one matters more than most

You were breached by a company you've never heard of. Your state Medicaid office, your employer, or your health insurer handed your data to Conduent. This is modern supply chain risk: any one of dozens of vendors handling your data can leak it.

Forever identifiers. SSNs plus medical records enable long-tail identity theft, medical insurance fraud, tax fraud, and targeted phishing for a decade or more.

The notification process failed. Victims were breached in October 2024. Most did not receive letters until 12 to 18 months later. That is over a year of criminals having the data before victims were told.

What to do if you got a letter

Do not throw it away. Local news outlets have reported residents mistaking the letter for a scam. It is legitimate and contains the enrollment code for free credit monitoring.

Enroll in free credit monitoring before April 30, 2026. Conduent is offering two years of credit monitoring and identity restoration. The window is firm.

Freeze your credit with all three bureaus. A freeze is free, stops new accounts from being opened in your name, and is more effective than monitoring. Equifax, Experian, and TransUnion each require a separate freeze.

Watch your Explanation of Benefits statements. Medical identity theft is a real risk. Criminals can use stolen insurance details to obtain prescriptions or file false claims in your name.

Be skeptical of follow-up contact. Scammers use major breach events to run secondary scams. Conduent will not call asking for your SSN to "verify" the breach. Hang up and verify through official channels.

What to do if you didn't get a letter

Not receiving a letter does not mean you're safe. Conduent's victim count keeps growing. Consider yourself at elevated risk if you have ever received SNAP or Medicaid benefits, are covered by Blue Cross Blue Shield of Texas, or have been employed by a Fortune 100 company in the last five years.

Take the same steps: freeze your credit, monitor your EOBs, and assume your SSN is in the wrong hands.

The bigger picture

Conduent is not an outlier. The Identity Theft Resource Center tracked a record 3,322 data compromises in the U.S. in 2025, and 80% of Americans received at least one breach notification letter in the past year. 70% of those notices gave consumers no meaningful information about what was exposed, up from 45% in 2023.

When your data sits in hundreds of vendor systems you never chose, the only realistic defense is minimizing your exposure before the breach happens. The Conduent letter in your mailbox is not a one-time event. It is a preview of the next five years.

Back to top
Home Shop
Wishlist Log in
×