As of today, millions of Americans are receiving a Conduent data breach letter notifying them that their personal information may have been exposed in a ransomware attack on Conduent systems that occurred between October 21, 2024, and January 13, 2025.
If you recently received a Conduent data breach letter in the mail, you are not alone — and the situation is far more serious than most people realize. What began as a cybersecurity incident quietly detected in January 2025 has since exploded into one of the largest data exposures in American history, now affecting an estimated 25 million people across the United States. From Social Security numbers to medical records, the stolen data touches the most sensitive corners of millions of Americans’ personal lives.
Read this article in full before you discard that letter. Your identity and financial security may depend on what you do in the coming weeks.
Table of Contents
Conduent Data Breach Update (Mar 2026)
The Conduent data breach remains one of the largest cybersecurity incidents affecting Americans, with updated reports indicating that more than 25 million people may have had their personal information exposed after hackers accessed the company’s systems between October 21, 2024, and January 13, 2025. The breach involved sensitive data such as names, addresses, Social Security numbers, and some health-related information tied to government programs and insurance services handled by the company. In 2026, millions of individuals across multiple U.S. states are receiving notification letters about the incident, while state authorities and regulators continue investigations into the attack and its impact.
What Is Conduent and Why Should You Care?
Conduent Business Services is not a household name, but it quietly powers the back-office operations of some of the most essential institutions in the country. The company provides printing, mailroom management, document processing, payment integrity, and other administrative support services to hundreds of government agencies, healthcare organizations, and major corporations.
Its client list reads like a who’s who of American industry. Health insurance giants such as Humana, Premera Blue Cross, Blue Cross and Blue Shield of Texas, and Blue Cross and Blue Shield of Montana all rely on Conduent. The company also serves over 600 government and transportation organizations, along with roughly half of the Fortune 100 companies nationwide. When Conduent’s systems were compromised, the ripple effects spread far and wide — reaching patients, employees, government program recipients, and ordinary Americans who had no direct relationship with the company at all.
How the Attack Unfolded
The cyberattack on Conduent did not happen overnight. Hackers first gained unauthorized access to the company’s network on October 21, 2024, and remained inside undetected for nearly three months. Conduent did not discover the intrusion until January 13, 2025, when an operational disruption triggered an internal investigation.
The SafePay ransomware group claimed responsibility for the attack in February 2025. This group, which emerged in late 2024, quickly became one of the most aggressive ransomware operations in the world. SafePay claimed to have stolen a staggering 8.5 terabytes of data from Conduent’s systems. The group added Conduent to its dark web leak site and threatened to publish the stolen data if its ransom demands went unmet. As of early 2026, Conduent no longer appears on the SafePay leak site, though the company has not disclosed whether it paid any ransom.
Conduent publicly disclosed the breach in April 2025 through a filing with the Securities and Exchange Commission. At the time, the company estimated that a limited number of users were affected. That estimate turned out to be a dramatic undercount.
The Numbers Keep Growing
When Conduent first began notifying state attorneys general in October 2025, the reported figures were already alarming. Initial disclosures suggested roughly 4 million people in Texas and about 10.5 million individuals nationwide may have been affected. However, as federal and state investigations progressed, the scale of the incident expanded significantly, revealing a far broader exposure than originally understood.
By February 2026, updated filings and state-level disclosures indicated that the confirmed number of affected individuals in Texas alone had risen to more than 15.4 million — a figure representing over half of the state’s population and underscoring the systemic nature of the breach. The rapid increase reflected ongoing forensic analysis, improved matching of compromised records, and delayed reporting from government agencies that rely on Conduent for benefit administration, payment processing, and public-sector technology services.
In Oregon, officials reported that more than 10.5 million individuals were impacted — a number that exceeds the state’s population because datasets included records tied to multi-state programs, historical beneficiaries, and duplicate or legacy files retained by agencies. Similar clarification has emerged in several jurisdictions, where counts reflect records rather than strictly current residents.
Notification letters have now been filed with attorneys general in California, Delaware, Indiana, Maine, Massachusetts, New Hampshire, Vermont, and additional states as the incident’s geographic footprint continues to widen. Many of these filings note that the affected data may include names, addresses, dates of birth, Social Security numbers, Medicaid or benefits information, and internal identification numbers, depending on the agency involved.
The total estimated number of affected Americans now stands at roughly 25 million, more than doubling early projections and placing the event among the largest public-sector vendor breaches disclosed in 2025. Investigators say the rising totals are typical in large vendor incidents, where a single compromised platform can expose data from multiple state programs simultaneously.
Conduent first disclosed the cybersecurity incident in a filing with the U.S. Securities and Exchange Commission, initially stating that only a limited number of users appeared affected. That estimate was later revised as digital forensics uncovered additional compromised environments and agencies completed their internal reviews. Regulators generally allow companies to update impact numbers as investigations progress, which often leads to significant upward revisions months after the first disclosure.
By early 2026, the incident had moved from an isolated breach narrative to a broader policy and oversight issue. Several states launched reviews of vendor security requirements, contract safeguards, and breach-notification timelines. Lawmakers in multiple jurisdictions have also raised concerns about third-party risk management, noting that government reliance on large technology vendors can amplify the scale of a single security failure.
At the same time, consumer protection agencies have urged potentially affected individuals to monitor credit reports, consider fraud alerts or credit freezes, and watch for official notification letters from state agencies rather than unsolicited outreach. Because many public-sector data breaches involve long-retained records, individuals who no longer receive services may still appear in affected datasets.
As of February 2026, investigations remain ongoing, and officials have warned that totals could continue to change as additional agencies complete record reviews. What began as a limited disclosure has evolved into one of the most consequential data-security events involving a government contractor in recent years — illustrating how initial breach estimates can dramatically understate the eventual scope.
Third-Party Vendor Risk and the Rise of Medical Identity Theft
One of the most significant lessons emerging from the Conduent incident is the growing risk tied to third-party vendors that handle sensitive data for healthcare providers, insurers, employers, and government agencies.
Cybersecurity experts warn that large-scale breaches increasingly originate within vendor ecosystems, where a single intrusion can expose information belonging to millions of people who may have never interacted with the vendor directly. At the same time, specialists are raising concerns about the long-term threat of medical identity theft following healthcare-related data exposures. Unlike traditional financial fraud, medical identity theft can remain undetected for years and may lead to inaccurate medical records, fraudulent insurance claims, and unexpected billing issues.
Consumer protection guidance now encourages affected individuals to review Explanation of Benefits statements regularly, request copies of their medical records, report unfamiliar treatments immediately, and retain breach notification letters permanently, as these documents may be required for dispute resolution, insurance corrections, or participation in future legal settlements.
What Personal Information Was Exposed
The categories of data exposed in this breach rank among the most sensitive that exist. According to notification letters sent to affected individuals and to state attorneys general offices, the compromised files may have contained full legal names, Social Security numbers, dates of birth, home addresses, health insurance policy details and member identification numbers, medical diagnosis codes and treatment descriptions, treatment costs and hospital admission or discharge dates, and insurance claim numbers.
Not every data element was present for every affected person. However, the combination of Social Security numbers, medical data, and insurance details creates serious potential for identity theft, healthcare fraud, and financial exploitation that can persist for years.
The Notification Letter — What It Means and What You Must Do
Conduent began sending the Conduent data breach notification letters to affected individuals in October 2025 and expects to complete all consumer notifications by April 15, 2026. These letters are being sent on behalf of Conduent’s clients — so your letter may reference a health insurer, an employer, or a government agency rather than Conduent itself.
The letter explains that an unauthorized third party accessed Conduent’s network and obtained files containing your personal information. It will specify which data elements were involved in your particular case.
Enroll in free credit monitoring. Conduent is offering affected individuals two full years of free credit monitoring and identity restoration services. The enrollment deadline is March 31, 2026, and this window will not be extended. The package includes dark web monitoring, credit report tracking across all three major bureaus, identity theft insurance, and managed identity recovery assistance. Do not let this deadline pass.
Place a fraud alert on your credit file. Contact any one of the three major credit bureaus — Equifax, Experian, or TransUnion — to activate a fraud alert. This alert requires lenders to take additional steps to verify your identity before opening any new account in your name.
Consider a credit freeze. A security freeze is one of the most reliable tools available to prevent new fraudulent accounts from being opened in your name. It is free to place and free to lift, and it applies across all three credit bureaus.
Monitor your accounts closely. Review bank statements, credit card transactions, and any Explanation of Benefits documents from your health insurer for unauthorized or suspicious activity. Criminals often wait months — sometimes longer — before using stolen data, so ongoing vigilance is essential.
Guard against follow-up phishing. Be highly suspicious of unsolicited emails, phone calls, or text messages claiming to be from Conduent, your insurer, or any government agency. Fraudsters routinely exploit known breaches to launch secondary scams targeting the same victims.
→ Don’t wait until the March 31 deadline closes — use the enrollment link in your notification letter to activate your free identity protection services today.
Legal and Regulatory Consequences
The breach has triggered serious legal and regulatory responses across the country. Texas Attorney General Ken Paxton announced a formal investigation into Conduent’s handling of the incident. Multiple class action lawsuits have been filed against the company, with plaintiffs challenging both the breach itself and the extended timeline it took for affected individuals to be notified — nearly a full year after hackers first entered the network.
Conduent has set aside $25 million to cover the full cost of its notification obligations, including identifying affected individuals, mailing letters, providing identity protection services, and staffing a dedicated consumer call center. The company had already paid out $9 million of that amount before its most recent SEC filings, and it plans to complete remaining disbursements by early 2026. The company’s cyber insurance policy covers costs that exceed the $25 million threshold, up to the policy’s agreed limits.
No court-ordered fines or finalized settlement agreements exist as of February 2026. However, anyone who received a notification letter is automatically included in the class action lawsuits unless they choose to opt out. Accepting free credit monitoring does not affect the ability to participate in or benefit from any eventual settlement.
No Confirmed Misuse — But Risks Remain
Conduent says it has not identified confirmed cases of stolen data being publicly released or actively used for fraud, but cybersecurity experts stress that this does not eliminate the danger. In many major ransomware incidents, stolen information is quietly stored, traded privately, or packaged with other datasets before criminals attempt large-scale exploitation. Threat groups increasingly avoid immediate leaks because holding data longer can increase its value and reduce detection. The disappearance of a company from a ransomware leak site may signal negotiations, internal takedowns, or a shift in how attackers plan to use the information rather than proof the data is gone.
Recent breach patterns across the healthcare and government services sector show that victims can experience identity theft months or even years after an attack, particularly when Social Security numbers, insurance identifiers, and medical histories are involved. These data types are difficult to change and can be reused repeatedly for synthetic identity fraud, fraudulent medical billing, tax scams, and targeted phishing campaigns. Investigators also note that new impacted individuals are sometimes identified long after the initial breach announcement as organizations complete deeper data reviews. Because of this delayed risk timeline, security professionals recommend long-term monitoring, keeping credit protections active beyond the free monitoring period, and maintaining records of the breach notification in case issues surface in the future.
Conduent Return to Kroll Letter
In response to the recent data security incident, Conduent has formally returned to Kroll, the independent risk and financial advisory firm, to assist with identity monitoring and breach response services for potentially affected individuals. The Conduent return to Kroll letter notifies recipients about the scope of the incident, outlines what personal information may have been involved, and provides instructions on how to enroll in complimentary credit monitoring and identity protection services. The letter also explains the steps Conduent has taken to strengthen its cybersecurity systems and encourages recipients to remain vigilant by reviewing account statements and monitoring credit reports for suspicious activity.
What Comes Next
Conduent is working to send the final round of consumer notifications by April 15, 2026. The investigation remains open, and the confirmed count of affected individuals could still increase as the company completes its review of client data sets. State attorneys general across the country continue to monitor the situation, and additional regulatory enforcement actions remain possible in the months ahead.
For the 25 million Americans caught up in this breach, the single most important thing to do right now is take action — not wait. Enroll in the available protection services before the deadline, lock down your credit, and stay alert for any suspicious financial or medical activity throughout this year and beyond.
Have you received a Conduent data breach notification letter, or do you think your information may have been exposed? Drop a comment below and tell us what steps you have already taken — your experience could help someone else protect themselves right now.
FAQs
1. What is the Conduent Return to Kroll letter?
It is a notification sent to individuals whose information may have been impacted by a data security incident involving Conduent. The letter explains the situation and provides instructions for enrolling in complimentary identity monitoring services administered by Kroll.
2. Why did I receive this letter?
You received the letter because your personal information may have been involved in the incident. Companies are required to notify potentially affected individuals when certain types of data are exposed.
3. What is Kroll’s role?
Kroll is an independent risk management and identity protection service provider. In this case, Kroll is offering credit monitoring, fraud consultation, and identity theft restoration services to eligible individuals.
4. What information may have been affected?
The letter typically outlines the categories of information involved. Depending on the case, this may include name, address, Social Security number, or other identifying details.
5. Is this letter legitimate?
If the letter includes official contact details, a reference number, and enrollment instructions for Kroll services, it is likely legitimate. You can verify it by contacting Conduent or Kroll directly using publicly listed contact information.
6. Do I need to take action?
Yes. If you wish to receive free identity monitoring services, you must enroll before the deadline provided in the letter.
7. How long are the identity monitoring services offered?
The duration of free services is specified in the letter. It commonly ranges from 12 to 24 months, depending on the incident.
8. What should I do if I notice suspicious activity?
Immediately contact your financial institution, place a fraud alert on your credit file, and report the issue to the appropriate authorities. Kroll’s identity restoration specialists can also assist.
9. Does receiving this letter mean my identity has been stolen?
Not necessarily. The letter is precautionary. It means your information may have been exposed, but it does not confirm misuse.
10. Where can I get more information?
You can contact the dedicated call center number listed in the letter or visit the official Conduent or Kroll website for additional guidance.
