Conduent Business Services located in New Jersey had earlier sent a breach report to the Oregon Attorney General about a hacking incident in 2024 that affected 10.5 million people across the country. This is one of the biggest healthcare data breaches of 2025 with a significantly high victim count. The Texas Attorney General received a breach report that in Texas alone, nearly 14.8 million individuals had their personal data and protected health information (PHI) exposed.
The SafePay ransomware group professed to be behind the February 2025 attack on Conduent Business Services. The ransomware group added Conduent on its dark web data leak site, claiming that 8.5 terabytes of data were stolen during the attack. SafePay threatened to leak the stolen information if Conduent does not pay the ransom. Since the company is not listed on the site now, it is assumed that the ransom was paid.
A lot of HIPAA-regulated entities and government institutions do business with Conduent Business Services, which offers mailroom and back-office services. The clients of Conduent include medical insurance companies like Premera Blue Cross in the Pacific Northwest, Blue Cross and Blue Shield of Texas, Humana health insurance company, and Blue Cross and Blue Shield of Montana.
Conduent Business Services stated it will send the breach notification letters to the impacted individuals on behalf of its HIPAA-regulated entity customers. However, the total number of impacted individuals is not yet confirmed. The HHS’ Office for Civil Rights breach portal currently posts the breach as impacting 42,616 individuals.
Conduent Predicts the Data Breach Cost to be $25M by the first quarter of 2026. During the first quarter, Conduent mentioned that the January 2025 cyberattack did not have any material impact on its operating environment or costs. Nevertheless, it spent $9 million on breach notifications by late September 2025. It expects to spend another $16 million by Q1 of 2026. Conduent stated that its cyber insurance policy will cover any additional costs for breach notifications.
Additional costs may include the amount for dealing with reputational damage, lawsuit, and regulatory transactions, which can impact Conduent’s financial position. Reports say that Conduent is currently facing several lawsuits in relation to the data breach. Conduent will surely be subjected to an investigation by the HHS Office for Civil Rights and state attorneys general. Regulatory penalties may be issued if Conduent is confirmed to have violated state or government regulations.
Image credit: Shevon, Adobestock / logo©ConduentBusinessServices
