Conduent breach victim count rises beyond 14.7 million

New regulatory filings show the 2024 cyber incident affected far more individuals than first disclosed.

What happened

Conduent Business Services has reported that the number of people affected by its 2024 cyber incident has increased significantly, with a filing to the Texas Attorney General indicating that nearly 14.8 million Texas residents were impacted. Earlier disclosures to state regulators had placed the total at about 10.5 million individuals nationwide. Reporting by BankInfoSecurity notes that the incident involved unauthorized access to Conduent systems and the exposure of personal and protected health information linked to healthcare and government clients across the United States.

Going deeper

The breach was attributed by threat actors to the SafePay ransomware group, which claimed responsibility in early 2025 and alleged large-scale data theft. Conduent provides back-office services, including mailroom and document processing functions, for health insurers, healthcare providers, and government agencies, which amplified the downstream impact once client data was accessed. Forensic investigation showed that attackers had access to parts of Conduent’s network for several months before containment. Because the exposed data was tied to multiple clients and programs, confirming the scope required extensive file review, leading to staggered notifications and updated victim counts over time.

What was said

Conduent has stated that it worked with third-party experts to investigate the intrusion and restore affected systems. The company has acknowledged breach-related costs tied to notification and response efforts and has indicated that cyber insurance is expected to cover a portion of those expenses. While Conduent has offered to support notification on behalf of its healthcare clients, it has not yet provided a final consolidated total of all affected individuals. Regulators and courts are now reviewing the incident as multiple lawsuits allege delays in detection and notification.

The big picture

Conduent is not the first third-party vendor to revise its breach impact multiple times after a large-scale intrusion. UnitedHealth Group’s Change Healthcare unit similarly filed several updates before confirming that its February 2024 ransomware attack ultimately affected 193 million people. Experts say this pattern reflects how difficult it is for large vendors to untangle exposure when data is spread across shared platforms and multi-tenant systems.

Dave Bailey, vice president of consulting services at Clearwater, said vendors supporting hundreds or thousands of covered entities often have co-mingled and replicated data, making it challenging to determine exactly which records were accessed. Bailey added that healthcare organizations still tend to underestimate vendor risk, noting that breaches should be treated as inevitable events rather than rare anomalies. The focus, he said, should shift toward limiting blast radius, improving resilience, and ensuring rapid detection and containment when incidents occur.

FAQs

Why did the reported victim count increase so much over time?

The data was tied to many different clients and programs, which required a lengthy forensic review to identify affected individuals across states.

What type of data was involved in the breach?

Exposed information varied by client and may have included names, dates of birth, Social Security numbers, and health or claims-related details.

Why do breaches at service providers have a wider impact?

Service providers often store or process data for multiple organizations, so a single intrusion can affect millions of people at once.

Are healthcare regulators involved in reviewing the incident?

Yes. Breaches of this scale typically trigger reviews by state attorneys general and the HHS Office for Civil Rights.

What should individuals do if they receive a notification related to this breach?

They should review the notice carefully, monitor accounts for unusual activity, and follow any guidance provided regarding credit monitoring or identity protection.