The Conduent Business Solutions breach unfolded over a three-month period and has now emerged as the largest healthcare data breach disclosed in 2025.
What happened
According to Conduent’s SEC filing, a threat actor first gained unauthorized access to the company’s systems on October 21, 2024, and maintained persistent access until January 13, 2025, when Conduent detected the intrusion and secured the affected network environment. During that time, the attacker exfiltrated files tied to multiple healthcare and government clients.
State filings and corporate disclosures confirm that 10,515,849 individuals were impacted, including more than 462,000 members of Blue Cross and Blue Shield of Montana and approximately 310,000 UT Select and UT Care members serviced by Blue Cross and Blue Shield of Texas. The breach also affected members of Humana and Premera Blue Cross, as well as clients of the Wisconsin Department of Children and Families and Oklahoma Human Services, which experienced temporary service disruptions in January due to Conduent’s outage.
The company disclosed the incident to regulators in January 2025 and later confirmed in its May 2025 quarterly earnings report that it had incurred $25 million in breach-response costs to date.
What was said
In a statement to KTVH Blue Cross noted, “Blue Cross and Blue Shield of Montana was notified by Conduent that some of our member data was impacted by a cyber incident at Conduent. Conduent provides mail room and other services to several organizations. BCBSMT systems were not impacted by this incident. We are committed to supporting our members and working with them through this incident.”
Why it matters
Conduent operates as a business associate handling printing, mailing, document processing, payment integrity, and other administrative services tied directly to patient information. Healthcare entities depend on vendors like Conduent to manage PHI at scale, so when attackers maintained access to Conduent’s systems from October 21, 2024, to January 13, 2025, they also reached into multiple health plans’ data pipelines.
That means sensitive patient information was exposed without the covered entities’ systems being directly hacked. As a result, payers such as Blue Cross and Blue Shield of Montana, Blue Cross and Blue Shield of Texas, and payers serving Humana and Premera Blue Cross members now face the operational burden of breach notification.
The bigger picture
The sheer scale and the way it dwarfs other major breaches seen across healthcare in 2025. Earlier in the year, the Episource breach affected 5.4 million individuals, and United Seating and Mobility topped the mid-year charts at just over half a million people affected.
Across 107 email-related healthcare incidents between January and July, roughly 1.65 million individuals were impacted. Those numbers already signaled a troubling trend in vendor-driven exposure of patient data, yet Conduent’s breach more than doubled the largest healthcare incident reported before it in 2025, with 10.5 million patients affected.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
Why do business associate breaches matter?
Business associate breaches matter because they can expose millions of patient records even when a healthcare provider’s own systems are not compromised.
Who is responsible when a business associate is breached?
Covered entities and business associates share responsibility under HIPAA, and both can face penalties if safeguards and contracts are inadequate.
Do healthcare providers still need to notify patients if their vendor is breached?
Yes, covered entities must issue breach notifications to patients even if the breach happened at a business associate.
Kirsten Peremore
