A sprawling data breach at Conduent has blown open sensitive personal and medical records tied to more than 25 million people across the United States. The theft appears to hit Medicaid recipients and customers of major insurers particularly hard, with state filings pointing to especially severe impacts in Texas and Oregon. Conduent says outside forensic teams are still sorting through which client records were taken and are working with its customers to notify affected end users.
An update on the breach page of the Wisconsin Department of Agriculture, Trade and Consumer Protection pegs the incident at "25+ million" people. A separate roundup of state notification letters by TechCrunch reaches roughly the same total, with about 15.4 million Texans and roughly 10.5 million Oregonians counted among the victims.
Conduent first disclosed the cyber incident in filings with the U.S. Securities and Exchange Commission and says investigators discovered suspicious activity on January 13, 2025. According to its 2025 Form 10-K filed with the U.S. Securities and Exchange Commission, a forensic review found that an unauthorized actor "exfiltrated a set of files associated with a subset of the Company’s clients," and the company began notifying those clients in October 2025.
What the intruders took
State notices and security reports say the stolen files included names, addresses, dates of birth, Social Security numbers and medical and insurance information. The ransomware group that publicly claimed credit for the breach said it had taken multiple terabytes of files, a claim documented in reporting by TechCrunch.
Why Texas is front and center
Updated disclosures pushed Texas’ victim count sharply higher, putting the state squarely in the spotlight. On February 12, the Texas Attorney General’s Office issued Civil Investigative Demands to Blue Cross Blue Shield of Texas and Conduent as part of a probe into the breach. In a press release from Attorney General Ken Paxton, he called the incident "likely the largest breach in U.S. history" and said his office is seeking documents on how confidential information was handled.
Legal fallout
The breach has already triggered multiple federal class action lawsuits that have been consolidated for coordinated handling in New Jersey federal court, as reported by SecurityWeek. Those cases, combined with state investigations, set the stage for prolonged discovery and potentially sizable payouts if regulators or judges find problems with vendor security practices or the timing and scope of notifications.
If you got a notice
If a notification letter from Conduent or one of its clients landed in your mailbox, hang on to it and double check any enrollment links before you share more personal information. Consumer protection guidance recommends placing a security freeze or fraud alert with Equifax, Experian and TransUnion, reviewing free credit reports at AnnualCreditReport.com, and using IdentityTheft.gov to report identity theft and generate a personalized recovery plan.
Conduent’s response and a warning about sign-up scams
Conduent says it is offering complimentary identity monitoring services to affected individuals and has set up dedicated assistance lines for questions. Wisconsin’s breach page notes that a call center is available for those affected. Because scammers often piggyback on real breach letters, officials and security experts urge people to verify any sign-up URL by calling the official hotline listed on state notices or the company’s consumer information line before entering a Social Security number or other sensitive data.
Investigations by state attorneys general and Conduent’s own review are continuing. The company says it currently has no evidence that the stolen information has been misused, according to its 2025 Form 10-K filed with the U.S. Securities and Exchange Commission. More notifications and public updates are likely as regulators press for details and plaintiffs push their claims through the courts.
