Hammer and US flag showing government contractor data breach

Data Breach at Government Contractor Conduent Sparks Nearly a Dozen Class Action Lawsuits

Conduent Business Solutions, a major government contractor for back office services, is notifying individuals of a three-month-long data breach. The incident leaked the personal and health information of more than 10.5 million Americans, making it the eighth-largest healthcare leak in U.S. history.

According to the company’s disclosure, hackers breached the company’s network around October 21, 2024, and began exfiltrating data related to Medicaid, child support, food assistance, and toll programs.

However, Conduent only learned of the cyber intrusion on January 13, 2025, after detecting “operational disruption,” which shut down critical services in multiple states after “a ‘threat actor’ gained unauthorized access to a limited portion of the Company’s environment.

Government contractor hit by a massive data breach

After detecting the breach, Conduent launched an investigation with third-party cybersecurity experts to determine the scope of the incident and notified law enforcement.

It also initiated cyber incident response protocols, successfully terminated the threat actor’s access, restored affected systems within days or hours, and has since detected no further activity from any threat actor in its environment.

However, the threat actor had already accessed files containing the victims’ names, dates of birth, Social Security numbers, medical records, and health insurance details, although “not every data element was present for every individual.”

States affected include Texas, Washington, South Carolina, New Hampshire, Maine, Oregon, Massachusetts, and California. Entities affected include Blue Cross and Blue Shield of Texas, Blue Cross and Blue Shield of Montana, Humana, Premera Blue Cross, and the Wisconsin Department of Children and Families.

While some sources reported that the Oklahoma Department of Human Services was affected, the state agency stressed that Conduent had confirmed its data was unaffected.

Meanwhile, there is no indication that Conduent plans to offer credit monitoring or identity theft protection, despite such measures being standard practice in such cases. However, Premera is offering two years of complimentary credit monitoring and identity protection services to the affected individuals.

SafePay ransomware claims responsibility for the Conduent data breach

In February, the SafePay ransomware group claimed responsibility for the Conduent data breach by listing the government contractor on its data leak site and claimed to have stolen 8.5 terabytes of data.

However, the threat group later removed Conduent from the data breach site, suggesting that the government contractor had paid the ransom to prevent the sensitive personal data from leaking.

So far, the government contractor claims it has no evidence that the cybercrime gang has misused the stolen data for fraud.

Government contractor Conduent faces multiple data breach lawsuits

Meanwhile, the government contractor faces 10 class action lawsuits in the U.S. District Court for the District of New Jersey for allegedly failing to protect victims’ personal information and to notify them promptly. It took nearly ten months after discovery to notify the impacted individuals.

The class members also accuse the government contractor of failing to comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTA).

They claim that the Conduent data breach puts them at an elevated risk of identity theft and financial losses. The cyber attack also prevented individuals from making child support payments, putting them at risk of violating court orders.

Additionally, the government contractor is under investigation by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and state attorneys general for potential violation of federal and state regulations, including the HIPAA Security Rule.

Similarly, while Conduent stated that it suffered no material impact, it incurred $9 million in response to the data breach and expects to spend another $16 million by the first quarter of 2026. However, a cyber insurance policy will help to settle some of the costs.

Nevertheless, the government contractor also anticipates reputational damage, litigation costs, and potential regulatory fines, which could affect its financial position.