Conduent Data Breach Update, 14.7 Million Victims in Texas Alone, 10+ Class Actions Filed, Free Credit Monitoring Deadline March 31, 2026

Conduent Business Services’ October 2024 data breach initially reported as affecting 10.5 million people nationwide has exploded to at least 14.7 million victims in Texas alone—making this potentially one of the largest healthcare data breaches in U.S. history. As of January 2026, at least 10 federal class action lawsuits are proceeding in consolidated litigation in New Jersey federal court, a Plaintiffs’ Steering Committee has been appointed, and affected individuals have until March 31, 2026, to enroll in two years of free credit monitoring offered by Conduent.

What Is the Conduent Data Breach?

Conduent Business Services LLC, a New Jersey-based company providing back-office services including printing, mailroom operations, and document processing for government agencies and healthcare organizations, suffered a cyberattack where hackers accessed its network from October 21, 2024, to January 13, 2025—nearly three months of unrestricted access.

The SafePay ransomware group claimed responsibility for the attack in February 2025, alleging it stole 8.5 terabytes of data. Conduent later disappeared from SafePay’s dark web leak site, though the company hasn’t confirmed whether a ransom was paid.

Conduent discovered the intrusion on January 13, 2025, when it experienced “operational disruption” that shut down critical services across multiple states. The company filed notice with the U.S. Securities and Exchange Commission (SEC) on April 14, 2025, confirming that a “threat actor” had exfiltrated files associated with several Conduent clients.

What Personal Information Was Compromised?

According to breach notifications filed with state attorneys general and sent to affected individuals starting in October 2025, the compromised data includes:

• Full names
• Social Security numbers
• Dates of birth
• Postal addresses
• Medical service information (treatment and diagnosis codes)
• Provider names and dates of service
• Claim amounts and health insurance information

Not every data element was present for every individual, but the combination of Social Security numbers with medical information creates particularly dangerous identity theft risks that persist for years.

Who Was Affected by the Conduent Data Breach?

The victim count has grown dramatically since initial reports. A breach notice submitted to the Oregon Attorney General in October 2025 indicated 10,515,849 individuals were affected nationwide. However, a subsequent filing with the Texas Attorney General revealed 14,791,500 Texas residents alone had their information compromised.

Since the breach affected Conduent clients across the country, the Texas victims represent only a fraction of the total. Legal experts now estimate the final count could exceed 20-25 million individuals, which would rank this among the top 5 largest healthcare data breaches ever recorded in the United States.

Affected organizations whose data Conduent processed include:

• Blue Cross and Blue Shield of Texas (largest health insurer in Texas)
• Blue Cross and Blue Shield of Montana (largest health insurer in Montana)
• Premera Blue Cross (largest health insurer in the Pacific Northwest)
• Humana (top 5 U.S. health insurer)
• Wisconsin Department of Children and Families
• Oklahoma Human Services
• Blue Cross Blue Shield of Illinois
• Blue Cross Blue Shield of Tennessee (HealthSelect members)

Additional state government agencies that contract with Conduent for Medicaid, child support, food assistance, and toll systems may also be affected, though full disclosure remains ongoing as of January 2026.

What Class Action Lawsuits Have Been Filed?

As of January 2026, at least 10 federal class action lawsuits have been filed in the U.S. District Court for the District of New Jersey and consolidated under Judge Michael A. Hammer in In re: Conduent Business Services Data Breach Litigation.

On December 22, 2025, Judge Hammer appointed an eight-member Plaintiffs’ Steering Committee led by Chair Shauna Itri of Seeger Weiss, with members including:

• Corban Rhodes (DiCello Levitt)
• Ashley Crooks (Hausfeld)
• Connor Hayes (Lynch Carpenter)
• Raph Graybill (Graybill Law Firm)
• Thomas Loeser (Cotchett, Pitre & McCarthy)
• Linda Nussbaum (Nussbaum Law Group)
• Brian Gudmundson (Zimmerman Reed)

Law firms representing plaintiffs include Morgan & Morgan PA, The Dann Law Firm, Edelson Lechtzin LLP, Carella Byrne Cecchi Brody & Agnello PC, Goetz Geddes & Gardner PC, Kimmel & Silverman PC, Wolf Haldenstein Adler Freeman & Herz LLP, and Schubert Jonckheer & Kolbe LLP.

What Legal Claims Are Involved?

The consolidated lawsuits allege multiple causes of action against Conduent:

Negligence and Negligence Per Se: Plaintiffs claim Conduent failed to implement reasonable and appropriate data security measures to protect sensitive personal and health information, violating federal and state data protection standards.

HIPAA Violations: The lawsuits allege Conduent breached duties under the Health Insurance Portability and Accountability Act (HIPAA) to protect personal health information (PHI) and violated HIPAA by delaying notification to affected individuals for nearly 10 months after discovery.

Federal Trade Commission Act Violations: Claims that Conduent engaged in unfair and deceptive practices in violation of the FTC Act.

Breach of Third-Party Beneficiary Contract: Plaintiffs argue they are third-party beneficiaries of contracts between Conduent and its healthcare/government clients that required adequate data protection.

Unjust Enrichment: Claims that Conduent profited from processing personal data while failing to implement adequate security to protect it.

The lawsuits seek class certification, compensatory and statutory damages, punitive damages, and injunctive relief requiring Conduent to upgrade cybersecurity practices and monitoring protocols.

What Is Conduent Offering to Victims?

Conduent is providing two years of free credit monitoring and identity restoration services through a third-party provider. According to breach notification letters sent starting in October 2025, affected individuals must enroll by March 31, 2026.

As of January 2026, Conduent has not provided direct cash compensation to victims outside of any future class action settlement. The company incurred $9 million in breach response costs by September 2025 and anticipates a further $16 million by the first quarter of 2026, according to SEC filings. Conduent maintains cyber insurance that it expects will cover notification costs, though litigation and regulatory fines could significantly impact the company’s financial position.

How Does This Compare to Other Healthcare Data Breaches?

The Conduent breach ranks as approximately the eighth-largest healthcare data breach in U.S. history based on the initial 10.5 million victim count. With the updated Texas numbers suggesting 14.7+ million victims, it could climb even higher.

For comparison:

• Change Healthcare (2024): 193 million victims—the largest healthcare breach ever
• Aflac (2025): 22.7 million victims—largest healthcare breach of 2025
• Anthem (2015): 78.8 million victims
• Premera Blue Cross (2015): 11 million victims

Similar to other major data breach class action settlements, victims may eventually receive compensation ranging from pro-rata cash payments to thousands of dollars for documented losses, depending on the final settlement terms.

The AT&T class action lawsuit recently approved $177 million for 73 million victims after two 2024 breaches, offering up to $7,500 per person with documented losses—providing a potential benchmark for what Conduent victims might recover if litigation succeeds.

What Regulatory Investigations Are Underway?

Conduent faces almost certain investigation by the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR), which enforces HIPAA compliance. As of January 2026, HHS’s breach portal still lists the Conduent incident as affecting only 42,616 individuals—a number that will need significant updating.

State attorneys general in affected states including Texas, Montana, Wisconsin, Oklahoma, and others are also likely investigating whether Conduent violated state data protection laws. Regulatory fines for HIPAA violations can reach $1.5 million per violation category per year, with state fines adding to potential penalties.

Frequently Asked Questions

How do I know if I was affected by the Conduent data breach?

You should have received a breach notification letter from either Conduent or your health insurance provider (Blue Cross Blue Shield, Humana, Premera, etc.) starting in October 2025. Check mail carefully—notifications may have arrived months after the breach discovery.

What should I do if I received a Conduent breach notification?

Enroll in the free two-year credit monitoring by March 31, 2026. Place fraud alerts on your credit reports, monitor financial accounts closely, and watch for signs of medical identity theft like unexpected medical bills or insurance claims you didn’t file.

Can I join the Conduent class action lawsuits?

Yes. If you received a breach notification, you’re automatically included in the class unless you opt out. You don’t need to take action now—wait for court notices about the class certification and any future settlement. Contact one of the law firms listed above if you suffered significant documented losses.

How much compensation can Conduent data breach victims receive?

Unknown at this stage. Settlement amounts depend on final class size, total damages, and negotiation outcomes. Similar healthcare breach settlements have ranged from $20-$100 per person for basic claims to thousands for documented identity theft losses.

Is my information being sold on the dark web?

Conduent claims it has found no evidence of misused data as of January 2026. However, the SafePay ransomware group threatened to publish the 8.5 terabytes of stolen data, and Conduent’s removal from the leak site suggests either ransom payment or data sale to other criminals.

What is the deadline to enroll in free credit monitoring?

March 31, 2026. This is a firm deadline stated in Conduent’s breach notification letters. Don’t wait—enroll as soon as possible to begin monitoring your credit for suspicious activity.

How long after a data breach do identity theft problems typically appear?

According to attorneys handling similar cases, misuse of stolen health and personal information typically begins 12 to 18 months after the breach. For the October 2024 Conduent breach, victims should remain vigilant through at least April 2026 and beyond.

Last Updated: January 3, 2026

Legal Disclaimer: This article provides general information about the Conduent data breach and ongoing litigation but does not constitute legal advice for specific situations.

Stay informed, stay protected. — AllAboutLawyer.com

About the Author

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah