Conduent data breach impacts 4M Texans, prompts lawsuits: What to know

Conduent Business Services reported a data breach that compromised the personal information of over 10.5 million customers, including over 4 million Texans.

Over 4 million Texans may be impacted by one of the largest data breaches in U.S. history, and pending legal action could award compensation for some. Here's what to know about the Conduent Business Services data breach.

Conduent Business Services is a New Jersey-based business services/business process outsourcing (BPO) company that works with almost half of Fortune 100 companies plus 600 government and transportation agencies. It supports a wide range of industries with large-scale operations in healthcare, enterprise and more. Due to the nature of Conduent's services, it handles large volumes of personal, financial and health-related data across many states and clients. The company separated from Xerox in January 2017.

In January 2025, Conduent learned that the personal information of more than 10.5 million customers had been stolen by an unauthorized third party between Oct. 21, 2024 and Jan. 13, 2025. A ransomware/data-extortion group called SafePay took credit for the breach of around 8.5 terabytes of data from Conduent. According to Claim Depot, the personally identifiable information (PII) and protected health information (PHI) exposed included names, Social Security numbers, medical information and health insurance information. Conduent alerted the Securities and Exchange Commission (SEC) of the attack in April but did not notify customers of the breach until Oct. 8, 2025.

A total of 4,001,844 Texans were affected by the Conduent data breach, the Texas Attorney General's office reported last week. The HIPAA Journal lists the incident as the No. 8 largest data breach in U.S. history.

In response to the data breach, Conduent issued the following statement to MySA:

As previously disclosed in its April 2025 Form 8-K filing with the SEC, in January 2025, Conduent discovered that it was the victim of a cybersecurity incident. With respect to that incident, Conduent has agreed to send notification letters, on behalf of its customers, to individuals whose personal information may have been affected by this incident. In addition, a dedicated call center has been set up to address consumer inquiries. At this time, Conduent has no evidence of any attempted or actual misuse of any information potentially affected by this incident.

Upon discovery of the incident, Conduent acted quickly to secure its networks, restore its systems and operations, notify law enforcement, and conduct an investigation with the assistance of third-party forensics experts. In addition, given the nature and complexity of the data involved, Conduent has been working diligently with a dedicated review team, including internal and external experts, to conduct a detailed analysis of the affected files to identify the personal information contained therein, which was a time-intensive process.

Conduent takes this matter seriously and regrets any inconvenience this incident may have caused.

The information exposed in the Conduent data breach included names, Social Securiy numbers, medical information and health insurance information, Claim Depot reports.

Lawsuits pile up as investigations continue

Multiple class-action lawsuits against Conduent Business Services have been filed in New Jersey federal court, and more are expected to follow as more law firms open investigations. The HIPPA Journal reports, "The lawsuits make similar claims — that Conduent was negligent by failing to adequately protect its network against unauthorized access and for its alleged failure to provide adequate notifications to individuals affected by the data breach."

Law firms aren't the only kind of entity investigating Conduent's data breach. Montana state regulators are also looking into the incident, which impacted nearly half a million Blue Cross Blue Shield of Montana members, according to BankInfoSecurity. More state regulators could follow suit, especially regarding breach-notification laws and data-security obligations.

What should I do if my data was compromised?

If Conduent Business Services notified you that your data was breached, you may be contacted by a law firm to join a class-action lawsuit. Depending on the outcome, individuals may be eligible for compensation. Such individuals are encouraged to document any harm resulting from the data breach, such as identity theft, fraud and incurred costs.

If you believe you may have been affected by the Conduent data breach, you can take the following steps to protect your data:

• Monitor your credit reports.
• Consider placing a fraud alert or security freeze on your credit file, which will prevent new accounts from being opened in your name without additional verification.
• Be extra cautious with phishing attempts, as attackers may use the incident as a lure to trick you into giving more information.
• Monitor health/insurance statements for unusual claims or mismatches.
• Keep copies of any official notification you receive from Conduent or related entities, to maintain a record of exposure and what was communicated to you.
• Change passwords for accounts where you used the same password somewhere else, and enable multi-factor authentication (MFA) where possible.