Conduent Business Solutions, a business associate of many HIPAA-regulated entities and government institutions, suffered a data breach that brought about the exposure and likely theft of the protected health information (PHI) of over 10.5 million individuals. This data breach is the biggest healthcare data breach reported to date this year, and it is the 8th biggest healthcare data breach of all time.
Conduent Business Solutions provides healthcare organizations and government institutions with back-office services, such as mailing, document processing, printing, payment integrity services, and other support services. The number of HIPAA-regulated entities affected by the data breach is currently unknown.
Blue Cross and Blue Shield of Montana lately reported that it sent breach notification letters to 462,000 individuals affected by the data breach. Blue Cross and Blue Shield of Texas reported that the breach affected around 310,000 of its UT Select and UT Care plan members. The data breach also affected Humana clients and Premera Blue Cross members, though the number of affected individuals is uncertain. The incident also affected government organizations, including the Wisconsin Department of Children and Families and Oklahoma Human Services, resulting in temporary service disruptions because of the outage in January.
Conduent Business Solutions notified state regulators that the breach affected 10,515,849 patients, which include over 4 million people in Texas. It is not clear whether the incident affected non-healthcare companies. It’s parent company, Conduent Inc., reported the data breach to the U.S. Securities and Exchange Commission (SEC) in January 2025, and gave an update in April. The SEC filing mentioned that a threat actor acquired access to a small part of its IT environment and stole the information of a significant number of individuals. The breach is not yet published on the HHS’ Office for Civil Rights (OCR) breach website, possibly because OCR has not yet updated the listings since September 24, 2025, when the government had to shut down.
Conduent Business Solutions discovered the attack on January 13, 2025. Third-party digital forensics professionals helped investigate the incident and confirmed that initial access happened on October 21, 2024. The attacker had continued access to the system up to three months before Conduent secured its network on January 13, 2025. Within a few days, Conduent restored access to the impacted systems. Certain systems were restored within hours and had no material impact on their functions.
The investigation affirmed that the attacker stole some of its clients’ files. Because of the complexity of the breached data, the company took several months to finish the file analysis and identify the affected individuals and data involved. Conduent is currently sending individual notifications to the affected patients.
The breached data because of the incident differs from company to company and person to person, possibly affecting names, birth dates, Social Security numbers, treatment data, and claims details. According to the notice sent to the California Attorney General, the business associate did not offer free credit monitoring and identity theft protection services.
Although the total financial impact of the cyberattack remains unknown, Conduent mentioned $25 million in breach response costs in its May 2025 first-quarter earnings report. There is a cyber insurance policy that will take care of a percentage of the cost.