Regulators say Conduent is withholding info as breach investigation stalls

Sixteen months after the breach was discovered, Missouri's insurance regulator has gone public with its frustration that Conduent will not provide the information needed to assess the impact on state insurance consumers.

What happened

The Missouri Department of Commerce and Insurance has escalated its investigation into the Conduent Business Services data breach after the company failed to provide regulators with sufficient information to assess the impact on Missouri insurance consumers. According to Becker's Hospital Review, Conduent discovered in January 2025 that attackers had accessed portions of its network between October 21, 2024, and January 13, 2025, exfiltrating files containing names, Social Security numbers, dates of birth, treatment information, and health insurance information from clients, including Humana, Premera Blue Cross, and multiple Blue Cross Blue Shield plans. A February 2026 filing with Wisconsin regulators estimated that at least 25 million individuals were affected, making it one of the largest healthcare-adjacent data breaches in US history. Missouri's DCI Director Angela Nelson stated the department has been "concerned and disappointed that Conduent has not provided sufficient information for regulators to fully assess the potential impact of this breach," and issued a second bulletin directing regulated insurers to report directly to the department about any Conduent services they used during the breach window.

Going deeper

Conduent's position is that the company providing notice on behalf of clients does not make it a licensee of Missouri's DCI, and that it has no authority to speak with the department on behalf of its clients. The company has contacted all its clients about the bulletin and asked licensees with affected Missouri residents to file directly with the department. According to Cybersecurity Dive, Conduent accrued $25 million in direct breach response costs in Q1 2025 alone, with an additional $16 million anticipated through Q1 2026, against which the company holds a cyber insurance policy. At least nine class action lawsuits have been filed in the New Jersey federal court. The Texas Attorney General's office launched a separate investigation in February 2026, with AG Ken Paxton seeking information about Conduent's security policies and requesting evidence from Blue Cross Blue Shield of Texas, which serves as Conduent's largest confirmed affected client, with at least 15.49 million Texas residents confirmed as impacted. The SafePay ransomware group claimed responsibility for the attack in February 2025, claiming 8.5 terabytes of stolen data, though Conduent is no longer listed on SafePay's leak site.

What was said

Missouri DCI Director Angela Nelson stated in the department's escalated bulletin: "We are concerned and disappointed that Conduent has not provided sufficient information for regulators to fully assess the potential impact of this breach. Clear and timely communication is critical in these situations, and we are continuing to seek the details needed to evaluate any risk to Missouri insurance consumers." In response, Conduent stated: "The cybersecurity incident affected Conduent Business Services, which is not a licensee with DCI. Conduent agreed to provide notice on behalf of its clients; however, Conduent does not have visibility regarding which of its clients are licensees with DCI, and it has no authority to speak with DCI on behalf of any clients." Conduent added in a separate statement cited by Becker's Hospital Review that it "acted promptly and in alignment with incident response protocols" and that "to date, there is no evidence that any underlying data has been misused, posted or made publicly available."

In the know

The Conduent investigation shows a jurisdictional gap that emerges when a non-licensed business associate serves as the central notification coordinator across multiple regulated covered entities in multiple states. According to The Register, state filings confirmed the breach extends beyond healthcare to employer benefit systems, with Volvo Group North America among affected parties. The Texas AG investigation is the most active state enforcement action, with AG Paxton describing the breach as potentially the largest in US history at the time his office opened its inquiry, before noting it would be difficult to surpass the Change Healthcare incident affecting 192.7 million individuals. The HHS OCR breach portal still listed the incident as affecting only 42,616 individuals as of the time of reporting, a figure that has not been updated despite state filings confirming tens of millions of affected individuals.

The big picture

The Conduent case exposes a structural weakness in HIPAA's business associate framework that has now produced regulatory conflict in at least two states. When a vendor handles notifications on behalf of covered entity clients but does not itself hold a state insurance license, the vendor can credibly claim it has no reporting obligation to state regulators, even when it holds the data and controls the investigation. The covered entities, which hold licenses but may lack direct access to the breach investigation findings, are then left to report to regulators with incomplete information. The result is what Missouri has now documented publicly: a state regulator 16 months into a breach affecting an unknown number of its consumers, still unable to determine the scope. According to Paubox's Top 3 Healthcare Email Attacks report, vendor and business associate exposure accounted for 28% of all email-related healthcare breaches in 2025. The Conduent case shows what happens when that vendor exposure involves a company operating outside the direct licensing framework of state regulators.

FAQs

Why can Conduent decline to report directly to Missouri's insurance regulator?

Conduent is not itself a licensed insurance entity in Missouri. State insurance regulators have jurisdiction over licensed entities and their business associates only to the extent those relationships are defined in state insurance law. Conduent's position is that its reporting obligation runs to its covered entity clients, who are the licensees, rather than directly to the department.

Why does the HHS OCR breach portal still show only 42,616 affected individuals when state filings confirm tens of millions?

The OCR breach portal reflects what covered entities have reported directly to HHS. If Conduent's covered entity clients have not individually filed updated breach reports with OCR, or if their filings are still under investigation, the portal figure will not reflect the actual scope confirmed through state AG filings. OCR and state AG breach portals operate independently and update at different cadences.

What is SafePay ransomware, and how does its absence from the leak site factor into the investigation?

SafePay is a ransomware group that operates a double-extortion model, exfiltrating data before encrypting systems. Conduent's removal from the SafePay leak site typically indicates that a ransom was paid or that the data was otherwise resolved. Conduent has not confirmed a ransom payment, and the stolen data has not been publicly identified as posted or sold.

What obligation do Conduent's covered entity clients have to their own regulators?

Each covered entity that contracted with Conduent and had customer or member data involved in the breach holds its own HIPAA and state regulatory reporting obligations. Those entities must report to HHS and state regulators based on their own licensing and must not rely solely on Conduent's notifications to fulfill their compliance requirements.

How does this case affect how healthcare organizations should structure business associate agreements?

Business associate agreements should include explicit requirements for the vendor to cooperate directly with covered entity regulators upon request, provide detailed breach scope information within defined timeframes, and grant covered entities sufficient access to breach investigation findings to meet their own regulatory reporting obligations. Relying on a vendor's unilateral notification process without contractual oversight mechanisms leaves covered entities unable to satisfy state regulators who ask questions the vendor has declined to answer.