Conduent Data Breach Expands to 25 Million Americans in Largest Healthcare-Adjacent Incident

The data breach at government technology contractor Conduent Business Services has expanded to affect over 25 million Americans, making it potentially the largest healthcare-adjacent breach in US history. The breach originated with a ransomware attack in January 2025 that disrupted Conduent's operations for several days, but the scope of exposed data has grown dramatically throughout 2025 and 2026 as state attorneys general and federal investigators have forced fuller disclosures.

The Expanding Scope

Texas alone accounts for 15.4 million affected individuals — roughly half the state's population. This figure is nearly four times the 4 million that Conduent initially told Texas authorities were affected, a discrepancy that has drawn scrutiny from the state's attorney general. Oregon has confirmed an additional 10.5 million affected residents. The combined total of over 25 million continues to grow as additional states complete their own assessments of the data Conduent processed on their behalf.

The data compromised includes names, Social Security numbers, medical data, and health insurance information — the most sensitive categories of personal information, with direct implications for identity theft, insurance fraud, and medical identity fraud.

Government Contractor Risk

Conduent processes government benefits, healthcare claims, and other sensitive transactions on behalf of state and federal agencies. The company's role as a government technology contractor means that a single breach exposes data from multiple government programs across multiple states — creating a blast radius that individual state agencies cannot fully assess on their own because they do not have visibility into what other states' data was also compromised in the same incident.

Texas Attorney General Ken Paxton issued Civil Investigative Demands to both Conduent and Blue Cross Blue Shield of Texas, seeking detailed information about the breach's scope and the adequacy of the security measures that were in place at the time of the attack. At least 10 federal class-action lawsuits have been filed in the US District Court for the District of New Jersey, where Conduent is headquartered.

Disclosure Accountability

The gap between Conduent's initial disclosure — 4 million affected in Texas — and the revised figure of 15.4 million raises questions about breach disclosure practices. Whether the initial undercount reflected incomplete forensic analysis, deliberate minimization, or a genuinely evolving understanding of the breach's scope, the practical effect is the same: millions of Americans whose data was compromised did not receive timely notification and could not take protective measures during the period between the initial and revised disclosures.

For organizations that contract with government technology vendors, the Conduent incident illustrates the concentration risk that arises when a single contractor handles sensitive data for multiple government clients. A breach at the contractor level cascades across all of its government customers simultaneously, and the government agencies themselves may have limited visibility into or control over the contractor's security posture.