Introduction
The Conduent breach is no longer an isolated third-party hiccup. Regulatory filings, newly released state notices, and investigative reporting now list more than 25 million individuals whose Social Security numbers, Medicaid/Medicare data, and HR paperwork were exposed after the October 2024 intrusion. What began as a ransomware attack on a New Jersey-based back-office contractor has evolved into one of the largest healthcare data disasters of 2026.
Timeline & scope
- October 2024: SafePay ransomware knocks Conduent offline, impacting state benefit disbursements and corporate HR systems.
- Jan 2025: Conduent publicly discloses the incident after months of outages; public filings confirm attackers stole tens of terabytes of data.
- Feb 2026: TechCrunch traced notifications that raised Texas exposures from 4M to 15.4M and confirmed Oregon’s 10.5M tally (TechCrunch, Feb 5). Multiple other states are still notifying citizens as of this publication.
- Today: Malwarebytes reports the total victims list now exceeds 25 million across at least 30 government and corporate programs, including SNAP, Medicaid, and major employers (Malwarebytes, Feb 2026).
What the attackers took
The SafePay gang claims to have exfiltrated roughly 8 terabytes of data during the prolonged foothold. The stolen data stretches beyond names and addresses: SafePay lists Social Security numbers, birth dates, bank account details, and detailed medical claims. Because Conduent is a layered vendor — handling printing, mailroom, enrollment, and payment processing for both government agencies and Fortune 100 clients — the stolen datasets touch high-value programs such as the SNAP card distribution, Medicaid benefit systems, and corporate HR/benefits administration for employers like Volvo.
Conduent’s filings confirm the attacker accessed sensitive medical claims, health insurance membership data, and “a significant number of personal identifiers associated with our clients’ end-users” (SEC filing, Sept 2025).
Why these notifications keep rising
The rise from 10 million to 25 million victims is partly due to delayed mapping between Conduent’s clients and the breached datasets. State agencies only understood which records were accessed as the forensic team matched top-level files to specific benefit programs. Texas initially reported 4 million victims; updated notifications now list 15.4 million, nearly half the state’s population. Oregon, Delaware, Massachusetts, New Hampshire, and South Carolina continue to issue mailed notices.
The scale also reflects Conduent’s reach: the company says it services more than 100 million people across government programs and large private payers, which means individuals who never interact with Conduent directly may still have records processed on the breached platforms.
Response and what defenders can do
- State teams: Accelerate breach notification audits and provide clear guidance about affected programs and contact points.
- Healthcare entities: Inventory which outgoing feeds touch Conduent-managed print, mail, or payment systems and enforce segmentation so a vendor breach cannot reach production data stores.
- Individuals: Freeze credit with Equifax, Experian, and TransUnion, watch for suspicious Medicaid/SNAP letters, and enroll in the free credit monitoring offered by impacted states.
Conduent still insists there is no evidence of fraud, but the SafePay gang’s access to configuration files and authentication tokens keeps the threat live. The incident underlines how an embedded vendor can multiply the population at risk long after the initial intrusion is contained.