Legal action is intensifying following a breach at Conduent Business Solutions that affected healthcare and government clients across the U.S.
What happened
According to Bank Info Security, at least nine class action lawsuits have been filed in New Jersey federal court in response to a data breach that exposed the personal information of over 10.5 million individuals through Conduent Business Solutions, a service provider to healthcare and government entities. Law firms continue to open investigations, and the number of lawsuits is expected to grow.
The lawsuits allege that Conduent failed to adequately secure its systems and delayed notifying victims. The breach was first detected in January 2025, three months after hackers had gained initial access, and Conduent announced the breach in April. Notification letters only began going out in October, nearly a year after the initial intrusion in October 2024.
Going deeper
The breach was among the most severe in 2025, ranking as the largest healthcare data breach of the year and the eighth largest on record. Conduent provides services such as document processing, payment integrity, and back-office support for healthcare organizations and state agencies.
Entities affected include:
- Blue Cross and Blue Shield of Montana: 462,000 individuals
- Blue Cross and Blue Shield of Texas (UT Select and UT Care plans): approx. 310,000 individuals
- Humana and Premera Blue Cross: number of affected individuals not yet disclosed
- Wisconsin DCF and Oklahoma Human Services: reported service disruptions but no sensitive data exposure
The full scope of impacted HIPAA-covered entities remains unclear. The breach is not yet reflected in the HHS OCR’s breach portal, likely due to the ongoing government shutdown.
Forensic investigations revealed that attackers had access to Conduent’s systems from October 21, 2024, to January 13, 2025. Although the company restored affected systems quickly, it took months to complete the review of compromised files. Stolen data varies but may include names, birthdates, Social Security numbers, treatment records, and insurance claims data. No evidence has emerged that complementary identity protection services were offered.
What was said
The lawsuits cite negligence, breach of contract, and unjust enrichment, calling for compensatory and punitive damages. Plaintiffs are also seeking injunctive relief that would require Conduent to implement improved security protocols.
Some suspect the Safepay ransomware group was behind the breach, as it briefly listed Conduent on its leak site. While this listing is no longer active, it has led to speculation that a ransom was paid or that the data was sold.
Conduent has reported $25 million in direct costs related to the breach response so far, with some losses expected to be covered by cyber insurance. Regulatory scrutiny is likely, particularly around HIPAA compliance and state-level security laws.
The big picture
According to Breached Company, the Conduent ransomware attack “serves as a stark reminder that cybersecurity failures at third-party vendors can have catastrophic ripple effects across entire sectors of the economy.” The publication noted that when a single breach “exposes the personal and medical information of over 10.5 million Americans - including 4 million Texans - the incident transcends typical corporate data breach discussions and becomes a matter of national security and public health.”
The report further stated that SafePay’s ability to “remain undetected for nearly three months while exfiltrating 8.5 terabytes of sensitive data” shows that “the ransomware threat continues to evolve and intensify.” It warned that for organizations handling sensitive information, “robust cybersecurity is no longer optional,” as “the stakes are too high, the attackers too sophisticated, and the consequences too severe.”
FAQs
What is a “business associate” under HIPAA, and why does it matter in this breach?
A business associate is a vendor that handles protected health information (PHI) on behalf of healthcare providers. Under HIPAA, they must implement appropriate safeguards. In this case, Conduent’s role as a business associate means multiple covered entities were impacted through a single breach.
Why was the breach not immediately reported to the public or affected individuals?
Complex file reviews and investigations often delay notifications. However, regulatory guidelines expect timely disclosure. Lawsuits are now challenging whether Conduent’s timeline was reasonable.
What can individuals affected by the breach do to protect themselves?
Even though Conduent has not confirmed offering credit monitoring, individuals can place fraud alerts, request credit reports, and monitor insurance claims for suspicious activity.
Could regulatory fines be issued even if no laws were clearly violated?
Yes. Regulators may still impose fines if they determine that data protection practices were insufficient or if breach notification timelines failed to meet state or federal standards.
How does this compare to other major healthcare breaches?
With over 10.5 million individuals affected, this is the largest U.S. healthcare breach of 2025 and one of the top ten historically. While smaller than the Change Healthcare breach, its impact spans multiple sectors and states, raising broader questions about third-party risk.
Farah Amod
