More than 10.5 million individuals have been affected by a 2024 data breach involving Conduent Business Services as the firm issues customer notices to those affected.
The company has issued filings with various state attorney general offices regarding the data incident, highlighting the widespread reach and severity of the incident across multiple states.
Conduent’s filings with the Oregon Department of Justice suggests that over 10.5 million have been affected and customers notices were sent in October 2025.
The data breach also impacted over 4 million individuals in Texas, 76,000 in Washington and several hundred in Maine, according to reports.
The cyber incident was first discovered on January 13, 2025, according to the customer notice.
An unauthorized third party had access to the company’s environment for almost three months before it was identified. It is understood that the illicit access began on October 21, 2024.
The customer notice highlighted that Conduent has worked with a review team to conduct analysis of the affected files and to identify the personal information they contained. The note confirms to the recipients that their data was involved in the affected files.
The stolen data may include people’s names, Social Security numbers, dates of birth, medical information and health insurance details.
In February 2025, the SafePay ransomware gang claimed the cyber-attacks and claimed to have stolen 8.5TB of data.
The SafePay ransomware group emerged in October 2024 and has been one of the most active cybercriminal collectives since.
Conduent provides third-party printing/mailroom services, document processing services, payment integrity services and other back-office support services. The company supports approximately 100 million US residents across various government health programs, operates many of the largest toll systems in the US and is a provider of government payment disbursements for federally funded benefit and payment card programs.
The HIPPA Journal has ranked the Conduent data breach as the eighth largest healthcare data beach of all time. However, it is unknown how many of the data points affected would be classed as the Health Insurance Portability and Accountability Act (HIPAA)-regulated entities.