Summary:
-
A government contractor, Conduent, was hit by a ransomware attack, compromising sensitive personal information of over 25 million Americans.
-
The stolen data includes names, addresses, Social Security numbers, and medical records, making identity theft easy and long-lasting.
-
Hackers had access to Conduent’s systems for nearly three months before the breach was detected, leading to ongoing repercussions.
A government contractor you’ve likely never heard of may have already handed your most sensitive personal information to hackers.
Conduent — a New Jersey-based business services company that processes data for state agencies, government benefit programs and Fortune 100 companies — was hit by a ransomware attack in January 2025. The breach was bad. And it has been quietly getting worse ever since.
What initially looked like a limited incident affecting around 4 million people has now ballooned to more than 25 million Americans, according to state attorney general filings and an ongoing tally by TechCrunch. Texas alone accounts for 15.4 million affected residents — nearly half the state’s population. Oregon has confirmed another 10.5 million. Notifications have gone out in California, Delaware, Indiana, Maine, Massachusetts, New Hampshire and Vermont, with more states expected.
The stolen data is not the kind you can just reset. Names, dates of birth, addresses, Social Security numbers, medical records and health insurance details were all exposed — the exact combination that makes identity theft not just possible, but easy and long-lasting.
The attack was carried out by the SafePay ransomware group, which claimed responsibility in February 2025 and said it exfiltrated more than 8.5 terabytes of data. The group threatened to publish the stolen data if its ransom demands went unmet. Conduent is no longer listed on the group’s dark web leak site, though the company has not confirmed whether a ransom was paid.
Here is what makes the timeline particularly alarming: hackers had access to Conduent’s systems from Oct. 21, 2024 to Jan. 13, 2025 — nearly three months — before the company detected the intrusion. The public was not officially notified until April 2025. Affected individuals in some states did not receive letters until October 2025, almost a year after the breach began. Conduent says it expects to complete all consumer notifications by April 15, 2026.
ADVERTISEMENT
Multiple class-action lawsuits have been consolidated in U.S. District Court in New Jersey, with plaintiffs alleging the company failed to adequately protect sensitive data and waited too long to notify the public. The Texas Attorney General opened a formal investigation on Feb. 22, 2026. Conduent has reported $25 million in direct breach response costs, with $17 million already disbursed and another $8 million expected in the first half of 2026.
Most people affected had no idea Conduent even had their data. The company operates as a backend processor for Medicaid, SNAP food assistance, child support, unemployment benefits and workplace payroll systems. Its technology and services reach more than 100 million people nationwide, per its own filings. When the backend gets hit, the people who feel it are the ones already most vulnerable — benefit recipients, patients, people who depend on government programs working the way they are supposed to.
Conduent said in a statement that it “has no evidence of any attempted or actual misuse of any information potentially affected by this incident.” But with Social Security numbers in the mix, the risk does not expire. Unlike a compromised password, a Social Security number cannot be changed. The exposure is permanent.
The breach has been ranked the eighth-largest healthcare data breach in U.S. history, per the HIPAA Journal. Texas Attorney General Ken Paxton called it “likely the largest breach in U.S. history.”
The number is still climbing.
