A recent data breach involving major government technology contractors appears to have a broader impact than initially estimated, now affecting over 25 million Americans.
Conduent, a tech company that handles various services such as medical billing and prepaid card processing for government programs, encountered a data breach that started in October 2024 and was addressed by January 2025.
Initially, there were concerns that about 10 million individuals were impacted, with their names, social security numbers, and medical details compromised. However, a new report indicates that in Texas alone, the number of affected individuals has risen to at least 15.4 million, quite a jump from the previous estimate of 4 million shared in October.
The Oregon Attorney General also reported that over 10 million individuals were affected and noted that Conduent reached out to “hundreds of thousands” in states like Delaware, Massachusetts, and New Hampshire, as indicated by a TechCrunch analysis of breach notifications.
A ransomware group known as SafePay claims responsibility, asserting they stole more than 8 terabytes of data during the breach.
In a filing to the Securities and Exchange Commission (SEC), Conduent mentioned that the investigation confirmed the data set included a significant amount of personal information related to the end-users of their clients, prompting notifications to both government and private sector customers.
Moving forward, Conduent has stated that they are collaborating with clients to ensure consumer notifications are sent out by April 15, 2026. To assist in this, they’ve established a call center dedicated to fielding consumer questions. As of now, the company has not found any evidence of the compromised information being misused.
While addressing the complexities involved, Conduent has emphasized that they worked diligently with both internal teams and external experts to analyze the affected data, which was a rather time-consuming endeavor.
Despite the challenges, both Conduent and their cybersecurity partners noted that there has been no indication of the personal information being circulated on the dark web.
