If you recently received a Conduent data breach letter in the mail, you are not alone — and the situation is far more serious than most people realize. What began as a cybersecurity incident quietly detected in January 2025 has since exploded into one of the largest data exposures in American history, now affecting an estimated 25 million people across the United States. From Social Security numbers to medical records, the stolen data touches the most sensitive corners of millions of Americans’ personal lives.
Read this article in full before you discard that letter. Your identity and financial security may depend on what you do in the coming weeks.
Table of Contents
What Is Conduent and Why Should You Care?
Conduent Business Services is not a household name, but it quietly powers the back-office operations of some of the most essential institutions in the country. The company provides printing, mailroom management, document processing, payment integrity, and other administrative support services to hundreds of government agencies, healthcare organizations, and major corporations.
Its client list reads like a who’s who of American industry. Health insurance giants such as Humana, Premera Blue Cross, Blue Cross and Blue Shield of Texas, and Blue Cross and Blue Shield of Montana all rely on Conduent. The company also serves over 600 government and transportation organizations, along with roughly half of the Fortune 100 companies nationwide. When Conduent’s systems were compromised, the ripple effects spread far and wide — reaching patients, employees, government program recipients, and ordinary Americans who had no direct relationship with the company at all.
How the Attack Unfolded
The cyberattack on Conduent did not happen overnight. Hackers first gained unauthorized access to the company’s network on October 21, 2024, and remained inside undetected for nearly three months. Conduent did not discover the intrusion until January 13, 2025, when an operational disruption triggered an internal investigation.
The SafePay ransomware group claimed responsibility for the attack in February 2025. This group, which emerged in late 2024, quickly became one of the most aggressive ransomware operations in the world. SafePay claimed to have stolen a staggering 8.5 terabytes of data from Conduent’s systems. The group added Conduent to its dark web leak site and threatened to publish the stolen data if its ransom demands went unmet. As of early 2026, Conduent no longer appears on the SafePay leak site, though the company has not disclosed whether it paid any ransom.
Conduent publicly disclosed the breach in April 2025 through a filing with the Securities and Exchange Commission. At the time, the company estimated that a limited number of users were affected. That estimate turned out to be a dramatic undercount.
The Numbers Keep Growing
When Conduent first began notifying state attorneys general in October 2025, the reported figures were already alarming. Initial reports pointed to roughly 4 million people in Texas and approximately 10.5 million individuals across the country. As the investigation deepened, those numbers climbed sharply.
By February 2026, the confirmed count of affected individuals in Texas alone had surged to more than 15.4 million — a figure that represents more than half of the state’s total population. In Oregon, the attorney general reported that over 10.5 million residents were impacted by the incident. Notification letters have also been sent to attorneys general in California, Delaware, Indiana, Maine, Massachusetts, New Hampshire, Vermont, and additional states.
The total estimated number of affected Americans now stands at 25 million, more than doubling from early projections. It is now widely regarded as one of the most significant data breaches of 2025.
What Personal Information Was Exposed
The categories of data exposed in this breach rank among the most sensitive that exist. According to notification letters sent to affected individuals and to state attorneys general offices, the compromised files may have contained full legal names, Social Security numbers, dates of birth, home addresses, health insurance policy details and member identification numbers, medical diagnosis codes and treatment descriptions, treatment costs and hospital admission or discharge dates, and insurance claim numbers.
Not every data element was present for every affected person. However, the combination of Social Security numbers, medical data, and insurance details creates serious potential for identity theft, healthcare fraud, and financial exploitation that can persist for years.
The Notification Letter — What It Means and What You Must Do
Conduent began sending the Conduent data breach notification letters to affected individuals in October 2025 and expects to complete all consumer notifications by April 15, 2026. These letters are being sent on behalf of Conduent’s clients — so your letter may reference a health insurer, an employer, or a government agency rather than Conduent itself.
The letter explains that an unauthorized third party accessed Conduent’s network and obtained files containing your personal information. It will specify which data elements were involved in your particular case.
Enroll in free credit monitoring. Conduent is offering affected individuals two full years of free credit monitoring and identity restoration services. The enrollment deadline is March 31, 2026, and this window will not be extended. The package includes dark web monitoring, credit report tracking across all three major bureaus, identity theft insurance, and managed identity recovery assistance. Do not let this deadline pass.
Place a fraud alert on your credit file. Contact any one of the three major credit bureaus — Equifax, Experian, or TransUnion — to activate a fraud alert. This alert requires lenders to take additional steps to verify your identity before opening any new account in your name.
Consider a credit freeze. A security freeze is one of the most reliable tools available to prevent new fraudulent accounts from being opened in your name. It is free to place and free to lift, and it applies across all three credit bureaus.
Monitor your accounts closely. Review bank statements, credit card transactions, and any Explanation of Benefits documents from your health insurer for unauthorized or suspicious activity. Criminals often wait months — sometimes longer — before using stolen data, so ongoing vigilance is essential.
Guard against follow-up phishing. Be highly suspicious of unsolicited emails, phone calls, or text messages claiming to be from Conduent, your insurer, or any government agency. Fraudsters routinely exploit known breaches to launch secondary scams targeting the same victims.
→ Don’t wait until the March 31 deadline closes — use the enrollment link in your notification letter to activate your free identity protection services today.
Legal and Regulatory Consequences
The breach has triggered serious legal and regulatory responses across the country. Texas Attorney General Ken Paxton announced a formal investigation into Conduent’s handling of the incident. Multiple class action lawsuits have been filed against the company, with plaintiffs challenging both the breach itself and the extended timeline it took for affected individuals to be notified — nearly a full year after hackers first entered the network.
Conduent has set aside $25 million to cover the full cost of its notification obligations, including identifying affected individuals, mailing letters, providing identity protection services, and staffing a dedicated consumer call center. The company had already paid out $9 million of that amount before its most recent SEC filings, and it plans to complete remaining disbursements by early 2026. The company’s cyber insurance policy covers costs that exceed the $25 million threshold, up to the policy’s agreed limits.
No court-ordered fines or finalized settlement agreements exist as of February 2026. However, anyone who received a notification letter is automatically included in the class action lawsuits unless they choose to opt out. Accepting free credit monitoring does not affect the ability to participate in or benefit from any eventual settlement.
No Confirmed Misuse — But Risks Remain
Conduent has stated that it monitors the dark web on an ongoing basis and has found no evidence that stolen personal information has been posted or sold online. The removal of Conduent from the SafePay leak site is a positive development, though it does not guarantee that the data will never surface.
Security professionals consistently warn that the absence of visible misuse in the short term does not mean the data is safe. Criminal networks often hold stolen information for months or even years before exploiting it directly or selling it to other parties. Social Security numbers and medical records, in particular, retain their value indefinitely and can be used to commit fraud long after a breach fades from public attention.
What Comes Next
Conduent is working to send the final round of consumer notifications by April 15, 2026. The investigation remains open, and the confirmed count of affected individuals could still increase as the company completes its review of client data sets. State attorneys general across the country continue to monitor the situation, and additional regulatory enforcement actions remain possible in the months ahead.
For the 25 million Americans caught up in this breach, the single most important thing to do right now is take action — not wait. Enroll in the available protection services before the deadline, lock down your credit, and stay alert for any suspicious financial or medical activity throughout this year and beyond.
Have you received a Conduent data breach notification letter, or do you think your information may have been exposed? Drop a comment below and tell us what steps you have already taken — your experience could help someone else protect themselves right now.
