‘Likely the Largest Breach in U.S. History’: What You Need to Know About the Conduent Fiasco

At least 26 million people have had their personal data stolen from Conduent, a company that provides printing, payment, and document processing services for some of the largest health insurance providers in the country. Some are already calling it one of the largest data breaches in U.S. history, exposing addresses, social security numbers, and health information to ransomware hackers.

Conduent first discovered it was the victim of a “cyber incident†over a year ago on January 13, 2025, according to a notice posted online by the company. The breach itself happened from October 21, 2024, to January 13, 2025, and involved data held by Conduent because the company provides services to health plans.

The data included names, social security numbers, unspecified medical information, and health insurance information. The company emphasized in its notice that “not every data element was present for every individual,†meaning that some people may have just had their social security number stolen but not their health insurance info, or vice versa.

Safepay ransomware group took credit for the attack, according to Bleeping Computer, reportedly snagging over 8 terabytes of information. It’s unknown whether Safepay has demanded payment for the return of the information, but Conduent wrote online that, “Presently, we are unaware of any attempted or actual misuse of any information involved in this incident.â€

The full scale of the breach is still unclear. Texas Attorney General Ken Paxton wrote last week that over 4 million Texans had their data stolen, but Fox News reports that number has jumped to 15.4 million people. Texas has a total population of 31 million, meaning that roughly half the entire state was impacted.

“The Conduent data breach was likely the largest breach in U.S. history. If any insurance giant cut corners or has information that could help us prevent breaches like this in the future, I will work to uncover it,†Paxton said in a statement published Feb. 12. “My office is committed to uncovering exactly what went wrong, taking action to protect Texas families, and ensuring there is justice for any negligence.â€

Oregon reported on its consumer protection website that 10.5 million were swept up in the breach, which already brings the running total to about 26 million. But residents of other states have also received notices, including people in California, Delaware, Massachusetts, New Hampshire, and New Mexico. Some of the states have relatively small numbers, like Maine, which has just 374 people whose data was exposed, according to the state’s Attorney General.

Conduent, which is based in New Jersey, didn’t respond to questions asking about the full scope of the hack and what victims can do about it via email on Tuesday. The company was spun off from Xerox in 2017 and employs about 56,000 people globally, according to Bleeping Computer.

Conduent handles several payment processing services for states, and an outage for EBT services in Wisconsin and Oklahoma back in January 2025 was reportedly related to the Safepay data breach. A class action lawsuit against Conduent is pending in New Jersey over the hack, according to NJ.com.

According to a letter sent to victims in California, Conduent is offering some people free credit monitoring and identity restoration services through Eqiq free of charge, but those impacted must enroll by April 30, 2026.

Anyone with questions about the breach is encouraged to call (866) 291-3678 between Monday and Friday, 9 am to 6:30 p.m. ET.