Conduent Data Breach Class Action 2026 10 Feb Update, 25M+ Victims, 10+ Lawsuits Filed—Free Credit Monitoring Deadline March 31

Conduent Business Services faces at least 10 federal class action lawsuits after a massive data breach between October 2024 and January 2025 exposed the personal and protected health information of over 25 million people—now ranking as the eighth-largest healthcare data breach in U.S. history. Victims must enroll in free credit monitoring by March 31, 2026, while litigation continues that could eventually result in substantial cash compensation.

The breach exposed Social Security numbers, medical records, and health insurance details from patients of Blue Cross Blue Shield Texas, Blue Cross Blue Shield Montana, Premera Blue Cross, Humana, and multiple state Medicaid programs. In Texas alone, over 14.7 million people were affected—more than the entire state’s Medicaid enrollment.

What Happened in the Conduent Cyberattack

On January 13, 2025, Conduent—a New Jersey-based business process services company that handles medical billing, claims processing, and back-office support for major healthcare organizations and government agencies—discovered unauthorized access to its network. According to court filings and SEC disclosures, hackers had infiltrated Conduent’s systems starting October 21, 2024, remaining undetected for nearly three months.

The SafePay ransomware group claimed responsibility in February 2025, posting Conduent on its dark web leak site and alleging it had stolen 8.5 terabytes of data. Conduent was later removed from the leak site, suggesting either ransom payment or data sale to other criminals.

Investigations revealed the threat actor obtained files containing names, dates of birth, Social Security numbers, medical service information including diagnoses and treatment codes, provider names, dates of service, claims data, and health insurance details. Not every data element was present for every individual, but the sheer volume affected makes this one of the most significant healthcare breaches in recent years.

Who Is Affected

As of February 2026, the confirmed victim count exceeds 25 million individuals across multiple states. Initially reported as 10.5 million based on Conduent’s October 2025 breach report to the Oregon Attorney General, the number grew significantly as investigations progressed.

Texas alone reported 14.7 million affected individuals to the Texas Attorney General—a number that dwarfs the state’s 5.4 million Medicaid enrollees, indicating the breach affected commercial insurance patients beyond just government programs.

Affected Conduent clients include:

Blue Cross Blue Shield of Texas (BCBSTX): Millions of current and former patients whose claims Conduent processed.

Blue Cross Blue Shield of Montana: Patients who received services processed through Conduent between October 2024 and January 2025.

Premera Blue Cross: Members whose health information was stored in Conduent’s compromised systems.

Humana: Enrollees whose data Conduent handled as part of claims administration services.

Wisconsin Department of Children and Families and Oklahoma Human Services: Initially thought affected, though Oklahoma subsequently stated Conduent confirmed its data was unaffected.

If you received healthcare services through any of these insurers or state programs during the relevant time period and received a breach notification letter from Conduent, your information was likely compromised.

The Class Action Lawsuits Filed

At least 10 federal class action lawsuits have been filed against Conduent as of February 2026. Representative cases include:

Brandon Berkenfeld v. Conduent (filed November 4, 2025): Alleges Conduent failed to safeguard sensitive information and did not provide timely notice to affected individuals, seeking to represent a nationwide class.

Eric Larson v. Conduent and BCBS Montana (filed in Montana): Alleges HIPAA violations and breach of fiduciary duties under the Federal Trade Commission Act.

Multiple additional lawsuits filed in New Jersey federal court assert similar claims including negligence, negligence per se, breach of third-party beneficiary contract, unjust enrichment, and failure to implement adequate cybersecurity measures.

Plaintiffs argue that as a business associate under HIPAA handling highly sensitive health information for millions of Americans, Conduent had a legal duty to implement industry-standard security measures. The successful three-month intrusion suggests potential security gaps that violated these obligations.

The lawsuits note that Conduent took 10 months from when the cyberattack was first detected to fully understand the breach’s scale and notify all affected individuals—a delay plaintiffs claim violated state and federal notification laws.

Current Litigation Status

As of February 2026, no settlements have been reached. The cases remain in early litigation stages with discovery—the process where attorneys gather evidence through document requests and depositions—just beginning.

Given the massive scale, these lawsuits will likely be consolidated into multidistrict litigation (MDL) to streamline proceedings. Similar healthcare breach cases like AT&T ($177 million for 73 million victims) and Yale New Haven Health ($18 million for 5.6 million victims) provide potential benchmarks for what Conduent victims might recover if litigation succeeds.

Lawsuits seek compensatory damages, statutory damages under applicable state privacy laws, punitive damages for willful security failures, and injunctive relief requiring Conduent to upgrade cybersecurity practices.

Free Credit Monitoring Offered

Conduent is providing two years of free credit monitoring and identity restoration services through a third-party provider. According to breach notification letters sent starting October 2025, affected individuals must enroll by March 31, 2026.

This is a firm deadline stated in Conduent’s official notification letters. Unlike settlement claim deadlines which sometimes get extended, credit monitoring enrollment windows are typically non-negotiable.

The credit monitoring service includes dark web monitoring, credit report tracking from all three bureaus, identity theft insurance coverage, and fully managed identity recovery services if theft occurs.

Important: Accepting free credit monitoring does NOT waive your right to participate in class action lawsuits or recover cash compensation if settlements are reached. You can enroll in monitoring while remaining part of the litigation.

What to Do If You’re Affected

Enroll in Credit Monitoring Immediately: Don’t wait until March 31. Enroll as soon as possible using the instructions in your breach notification letter. The sooner you start monitoring, the faster you’ll detect suspicious activity.

Place Fraud Alerts: Contact one of the three major credit bureaus (Equifax, Experian, TransUnion) to place a fraud alert on your credit file. The bureau you contact will notify the other two. Fraud alerts make it harder for identity thieves to open accounts in your name.

Consider Credit Freezes: For stronger protection, place security freezes with all three credit bureaus. Freezes prevent creditors from accessing your credit report, blocking most new account openings. You can temporarily lift freezes when applying for legitimate credit.

Monitor Medical Records: Request copies of your medical records from healthcare providers and review them carefully. Look for services, diagnoses, or prescriptions you don’t recognize. Medical identity theft can corrupt your records and affect future care.

Review Explanation of Benefits Statements: Carefully examine all insurance EOBs for medical services or prescriptions you never received. Report suspicious claims to your insurer immediately.

Document Everything: Keep copies of all breach notifications, correspondence with Conduent or credit bureaus, and any expenses incurred addressing the breach such as credit monitoring fees, postage, or time spent resolving issues. This documentation supports future damage claims if settlements are reached.

What Is the Conduent Data Breach Class Action Lawsuit About?

The consolidated class actions allege Conduent failed to implement adequate cybersecurity measures to protect over 25 million people’s personal and protected health information, took too long to discover the three-month intrusion, and delayed notifying victims for up to 10 months after detecting the breach. Lawsuits seek compensatory damages, statutory damages, punitive damages, and court orders requiring enhanced security.

When Did the Conduent Data Breach Occur and What Data Was Compromised?

Unauthorized access occurred between October 21, 2024, and January 13, 2025. Compromised data includes names, dates of birth, Social Security numbers, medical treatment and diagnosis information, health insurance details, provider names, dates of service, and claims data. The SafePay ransomware group claimed to have stolen 8.5 terabytes of data.

Am I Eligible to File a Claim in the Conduent Settlement?

No settlement exists yet as of February 2026—only active litigation. If you received a Conduent data breach notification letter, you’re automatically part of the class action lawsuits unless you opt out. Future settlement claims will likely cover all U.S. residents whose information was compromised in the breach.

How Do I File a Claim for the Conduent Data Breach Settlement?

No settlement or claim process exists yet. Lawsuits are in early stages. If settlements are eventually reached, claims administrators will establish official settlement websites with claim forms and deadlines. For now, enroll in the free credit monitoring by March 31, 2026, and monitor legal news sources for settlement updates.

What Is the Deadline to Submit My Claim?

No claim deadline exists because no settlement has been approved. The only current deadline is March 31, 2026 to enroll in Conduent’s free two-year credit monitoring service. Settlement claim deadlines will be announced if and when settlement agreements are reached.

How Much Compensation Will I Receive from the Settlement?

Unknown at this stage. If settlements are reached, amounts depend on final class size, total damages, and negotiation outcomes. Similar healthcare breach settlements have ranged from $20-$100 per person for basic claims to thousands for documented identity theft losses. The WebTPA $13.75 million settlement for 2.4 million victims offers one potential benchmark.

When Will I Get Paid from the Conduent Settlement?

Payments won’t occur until settlements are negotiated, court-approved, and all appeals resolved—typically 1-3 years from when lawsuits were filed. Given cases were filed in late 2025, payments likely won’t arrive until 2027 or 2028 at the earliest if settlements are reached.

What Documentation Do I Need to File a Claim?

For future settlement claims (once available), you’ll typically need your breach notification letter as proof you’re part of the settlement class. For documented loss claims, gather receipts for credit monitoring services, identity theft protection, legal or accounting fees to resolve fraud, unreimbursed fraudulent charges, and records of time spent addressing the breach.

For patients affected by similar healthcare data breaches, understanding Continuum Health Class Action Settlement Pays Up To $5,000 demonstrates how healthcare providers face accountability for security failures. The Conduent Data Breach Update provides comprehensive details on the Texas victim count and litigation developments.

Last Updated: February 10, 2026

Disclaimer: This article provides informational content only and does not constitute legal advice. Consult with a qualified data breach attorney for case-specific guidance about your legal rights.

What to Do Next: Enroll in free credit monitoring before the March 31, 2026 deadline, and monitor legal news sources for settlement updates as litigation progresses.

Stay informed, stay protected. — AllAboutLawyer.com

About the Author

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah