Conduent Healthcare Breach Hits 25 Million Americans as 35 Lawsuits Consolidate

Summary

The Conduent data breach, now confirmed to affect 25 million Americans, reached a litigation milestone on March 18, 2026, when 35 class action lawsuits were consolidated into a single amended complaint in U.S. District Court for the District of New Jersey. The SafePay ransomware group spent 83 days inside Conduent's network between October 2024 and January 2025, exfiltrating 8.5 terabytes of healthcare data.

Key Details

Conduent, a government and healthcare services contractor, processes claims data for major insurers including Blue Cross Blue Shield of Texas, Blue Cross Blue Shield of Montana, Premera Blue Cross, and Humana. Revised state filings in February 2026 more than doubled the initial estimate from 10.5 million to 25 million affected individuals.

Stolen data includes Social Security numbers, medical records, health insurance details, and Medicaid claims. Conduent began sending breach notifications in October 2025-nine months after discovery, exceeding HIPAA's required 60-day notification window.

Texas Attorney General Ken Paxton issued Civil Investigative Demands to both Blue Cross Blue Shield of Texas and Conduent, calling it one of the largest healthcare data breaches in U.S. history. Approximately four million Texans were affected, including Texas Medicaid recipients. Defendants have until April 20, 2026, to respond to the consolidated complaint.

An eight-member Plaintiffs' Steering Committee was appointed December 22, 2025, to coordinate the litigation. The lawsuits allege negligence, breach of contract, and violations of state consumer protection laws. No settlement has been reached.

Why This Matters

The breach exposes third-party vendor risk in healthcare: millions of patients never knew their data flowed through Conduent's systems. Because Conduent operates as a HIPAA business associate, every insurer and provider that contracted with it faces direct regulatory scrutiny for failing to verify vendor security controls.

The nine-month notification delay exposes Conduent to additional penalties under both federal and state breach notification laws. Healthcare organizations should audit their business associate agreements and require documented evidence of cybersecurity controls from vendors handling patient data.

For healthcare organizations managing patient intake and consent forms, the Conduent breach underscores why tracking where patient data flows after collection matters. Vendors processing health information should be contractually bound to the same security standards applied to first-party systems.

Sources

• Malwarebytes
• Texas Attorney General
• HIPAA Journal