Conduent breach hits 62M, ranking third largest in US healthcare history

The HHS Office for Civil Rights breach portal has been updated to reflect a final count that places the Conduent Business Services incident behind only Change Healthcare and the 2015 Anthem breach in recorded history.

What happened

The HHS Office for Civil Rights has updated its breach portal to confirm that the Conduent Business Services data breach affected 62,224,658 individuals, making it the third-largest healthcare data breach ever recorded. The figure represents a dramatic revision from the 25 million estimate that state regulators had confirmed as of February 2026. Conduent, a New Jersey-based business process outsourcing company, discovered on January 13, 2025, that attackers had accessed its network between October 21, 2024, and January 13, 2025. According to Cybersecurity Dive, the SafePay ransomware group claimed responsibility, asserting it had stolen multiple terabytes of data. Conduent provides printing, mailing, document processing, payment integrity, and back-office support services to health plans, government agencies, and large employers, meaning its client list determined the breach's downstream reach. Confirmed affected clients include Humana, Premera Blue Cross, and Blue Cross Blue Shield plans in Texas, Montana, Illinois, and New Mexico.

Going deeper

The gap between the initial estimates and the confirmed 62 million figure proves the intricacy of determining breach scope when a single vendor serves hundreds of covered entity clients simultaneously. Conduent submitted the breach to the HHS OCR portal in October 2025 with a placeholder figure. State AG filings then progressively revealed larger totals: 10.5 million in Oregon, 15.5 million in Texas alone as client-by-client reviews concluded. The 62 million final count represents the aggregated total across all affected clients who delegated notification responsibilities to Conduent. According to The Register, state filings had already suggested tens of millions of Americans were affected, with the breach touching systems handling Medicaid, unemployment programs, child support services, and employer health benefits. Compromised data includes names, Social Security numbers, dates of birth, health insurance policy numbers, and medical information, with specific data types varying by individual depending on which Conduent client held their records.

What was said

Conduent stated in notifications to state attorneys general, "From the outset of this incident, we acted promptly and in alignment with incident response protocols to contain and investigate the issue. To date, there is no evidence that any underlying data has been misused, posted, or made publicly available, and we continue to monitor closely." Missouri's Department of Commerce and Insurance Director Angela Nelson stated publicly that Conduent had failed to provide sufficient information for regulators to assess the breach's impact on Missouri insurance consumers, and escalated the investigation by directing regulated insurers to report directly to the department about any Conduent services used during the breach window.

In the know

At 62.2 million individuals, the Conduent breach now sits behind only the 192.7 million-record Change Healthcare breach of 2024 and the 78.8 million-record Anthem breach of 2015 in the history of healthcare data breaches tracked by HHS OCR since 2009. According to Becker's Hospital Review, Conduent accrued $25 million in direct breach response costs in Q1 2025 alone, with a further $16 million anticipated through Q1 2026, against a cyber insurance policy it confirmed was in place. Multiple state investigations remain active, with Missouri and Texas both pressing Conduent and affected insurers for fuller disclosure.

The big picture

The Conduent breach confirms what the Change Healthcare incident established a year earlier: when a vendor processes data for hundreds of covered entities simultaneously, a single intrusion can expose tens of millions of individuals regardless of any individual client's own security posture. At 62 million records, the breach affected roughly one in five Americans. The vendor's role handling printing, mailing, and claims processing, rather than clinical care, means many of those affected never knew Conduent touched their data. That invisibility is precisely the third-party risk problem that both the proposed HIPAA Security Rule update and the Verizon 2026 Data Breach Investigations Report identified as the fastest-growing category of healthcare breach exposure. Third-party breaches rose 60% year over year in the Verizon data and the Conduent figure gives that statistic a concrete scale.

FAQs

Why did the confirmed total jump from 25 million to 62 million?

The 25 million figure reflected confirmed state AG filings from Oregon and Texas as of February 2026. The 62 million figure represents the completed review across all of Conduent's affected clients, submitted to the HHS OCR portal as the final aggregate total. Each client's data had to be reviewed separately before Conduent could confirm the full scope.

Why is Conduent listed as a Business Associate on the HHS breach portal rather than a covered entity?

Conduent is not itself a healthcare provider or health plan. It handles PHI on behalf of covered entities as a business associate. Under HIPAA, business associates that experience breaches must report through their covered entity clients, or directly to HHS when delegated that responsibility, which is why the portal entry shows Conduent Business Services LLC as a business associate filing.

What does this breach mean for individuals who were affected?

The compromised data creates long-term identity theft and medical identity fraud exposure. Conduent offered 12 months of complimentary credit monitoring to affected individuals, though some state regulators and advocacy groups have argued that period is insufficient given the sensitivity of the data involved.

How does the Conduent breach compare historically?

At 62.2 million records, Conduent ranks third in HHS OCR's breach history since 2009, behind Change Healthcare at 192.7 million and Anthem at 78.8 million. It surpasses every other breach in the OCR record, including Optum360, Community Health Systems, and Premera Blue Cross.