At least 25 million people have had their personal information stolen in a major hack on business services company Conduent. The data breach itself isn’t new—it was initially disclosed in January 2025, and Conduent has already notified millions of individuals whose data was compromised in the incident. However, the breach is now believed to be larger in scale than previously reported, possibly among the largest to affect healthcare.
Who is Conduent?
Conduent is a New Jersey-based business processing outsourcing (BPO) company that provides services like printing, payment, and document and claims processing to state and federal government agencies as well as large commercial and transportation organizations. According to the company’s 2025 annual report, these offerings include disbursement of benefits, such as food assistance and child support, and administration of government healthcare programs (like Medicaid). For large corporations, services include workplace and unemployment benefits management.
Conduent was spun off from Xerox in 2017 and now employs around 51,000 people worldwide.
What happened with the Conduent breach?
In January 2025, Conduent suffered an outage that was later confirmed to be the result of a “cybersecurity incident.” The disruption lasted several days, during which agencies across the U.S. were unable to process some benefit payments. While the breach was discovered in January, hackers reportedly gained access to Conduent’s systems months earlier on October 21, 2024. The Safepay ransomware gang later took credit for the attack.
While Conduent confirmed in April 2025 that client information had been stolen in the breach, it didn’t begin notifying affected individuals until October. According to those notices, the compromised data included names, Social Security numbers, dates of birth, health insurance policy information, and medical information.
How many people were impacted by the breach?
The scope of the breach continues to grow, but the total number of individuals affected currently sits around 25 million. The greatest impact appears to be in Texas and Oregon, though residents in California, Delaware, Maine, Massachusetts, New Hampshire, and New Mexico have also received notices. (For reference, the total number of users impacted by the 2024 ransomware attack on Change Healthcare is now estimated at 190 million.)
What to do if you were affected
If you receive a notice saying your information was compromised, you should take every precaution to secure your identity: At a minimum, ensure your credit is frozen, and set up a one-year fraud alert on your credit files to prevent someone from applying for credit using your information. None of the notices we’ve seen have offered any type of credit monitoring or identity theft protection services to affected individuals, but you could utilize these services as well.
At this point—given the ubiquity of data breaches and information compromise—you should be keeping a close eye on your credit report and financial accounts at all times to quickly catch anything suspicious. If you do find fraudulent activity, report it to your bank and/or credit issuer immediately, and file an identity theft report.