26 million Americans hit by what’s now called the biggest data breach in U.S. history

Hackers hit a massive government contractor

A ransomware attack on a company called Conduent Business Services has exposed the personal data of more than 25 million Americans.

Conduent is a New Jersey-based contractor that handles printing, payment processing, and back-office work for more than 600 government agencies and major health insurers.

Most people have never heard of it because it operates behind the scenes for state Medicaid programs, health insurance companies, and other government services.

The breach stretched from October 2024 through January 2025.

Hackers stayed inside for nearly three months

An unauthorized group broke into Conduent’s computer systems on Oct. 21, 2024, and stayed until Jan. 13, 2025. Conduent found the breach that same day after an operational disruption knocked some services offline.

The company said it activated its cybersecurity response plan, brought in outside experts, and got systems back up within days.

But Conduent did not publicly disclose the breach until an SEC filing on April 14, 2025, about three months after it found out.

Stolen data includes Social Security numbers

The hackers took names, Social Security numbers, medical information, and health insurance details. Not everyone lost the same data.

Some people may have had only a Social Security number taken, while others had their health insurance records exposed. A ransomware group called SafePay claimed responsibility for the attack.

Conduent has confirmed that files were stolen but has not confirmed SafePay’s specific claims about what they took.

Victim count keeps climbing past 25 million

The numbers keep shifting. In Texas alone, the reported count of affected people jumped from an initial estimate of about 4 million to 15.4 million. Oregon has reported about 10.5 million.

Some of those figures may represent running national totals reported to state attorneys general, not just residents in each state.

Notifications have also gone out in Delaware, Massachusetts, New Hampshire, Georgia, South Carolina, New Jersey, Maine, and New Mexico. The final count could still change.

Families lost child support payments for days

The breach did not just expose data. It disrupted real services.

Wisconsin’s Department of Children and Families said it could not process child support payments for much of a week in mid-January 2025. Four states dealt with outages, according to Wisconsin officials.

Parents and beneficiaries reported problems receiving payments through electronic transfers and EBT cards.

Systems came back online on Jan. 19, 2025, but for families waiting on those payments, the damage was already done.

Conduent waited nine months to notify victims

Notification letters did not start going out until October 2025, about nine months after Conduent discovered the breach. That long gap has become a central issue in lawsuits and investigations.

Conduent says it expects to finish sending all notifications by April 15, 2026.

To make things harder for recipients, the letters do not always say which company originally hired Conduent, leaving some people confused about how their data got involved.

Texas AG demands answers from two companies

On Feb. 12, 2026, Texas Attorney General Ken Paxton issued Civil Investigative Demands to both Conduent and Blue Cross Blue Shield of Texas.

Those demands require both companies to hand over documents about their security practices and compliance with state law.

The investigation focuses on whether either company failed to protect the health information of Texas residents, including Medicaid recipients.

Montana has also opened its own investigation into the breach’s impact on Blue Cross Blue Shield of Montana members.

Major health insurers had member data exposed

Blue Cross Blue Shield of Texas, Blue Cross Blue Shield of Montana, Humana, and Premera Blue Cross are among the companies affected.

Blue Cross Blue Shield of Texas confirmed that its own systems were not directly breached, but member data was compromised through Conduent’s systems. Premera Blue Cross said the same thing.

Volvo Group North America also disclosed that about 17,000 of its employees were affected through Conduent.

Lawsuits pile up in New Jersey federal court

Multiple class action lawsuits have been filed and combined in the U.S. District Court for the District of New Jersey. Plaintiffs say Conduent failed to protect sensitive data and took too long to tell the public.

At least nine lawsuits had been filed by late October 2025, and more followed as the victim count grew.

The suits seek compensatory, statutory, and punitive damages and ask the court to order Conduent to strengthen its security. Conduent has reported about $25 million in costs related to breach response.

Conduent says no stolen data has been misused yet

Conduent says it has found no evidence that any of the stolen information has been used for fraud. The company says it has been watching for signs that the data has shown up on the dark web.

Conduent holds a cyber insurance policy and expects it to cover notification costs within policy limits.

But the company has admitted that further costs from lawsuits, regulatory fines, and damage to its reputation could hurt its finances going forward.

What to do if you get a notification letter

If you receive a letter, do not throw it away. Officials stress these letters are real and not a scam.

You may qualify for free credit monitoring, but you must sign up by April 30, 2026, using the instructions in your letter. Security experts recommend placing a credit freeze with Equifax, Experian, and TransUnion.

A freeze is free and stops anyone from opening new accounts in your name. Watch your bank statements and credit reports closely for anything unfamiliar.

Your data may be at risk for any kind of cyber attack

Conduent processes payments, healthcare claims, and back-office work for state agencies that handle Medicaid, child support, food assistance, and toll programs.

The company says it supports about 100 million U.S. residents through government health programs.

Because Conduent works as a behind-the-scenes contractor, many people whose data it handles have no idea the company exists.

And unlike a stolen credit card, Social Security numbers and medical records cannot be canceled or replaced, which makes this type of breach especially risky for long-term identity theft.

This article was created with AI assistance and human editing.

Read more from this brand:

• New Medicaid eligibility rules could hit cancer screenings hard, study warns
• ACA enrollment drops by over 1 million for 2026 after COVID-era subsidies expire
• New ICE tool draws from Medicaid records of 80 million people to find targets