A significant data breach that occurred over a year ago may impact far more individuals than previously estimated. Conduent, a leading government technology firm, experienced a severe ransomware attack in January 2025, disrupting services across several U.S. states for multiple days.
According to a report from the HIPAA Journal, the breach compromised personal information of at least 10 million individuals. Conduent has taken considerable time to evaluate the scope of the breach, with this information being confirmed in a September 2025 filing with the SEC.
The breach reportedly involved sensitive data, including Social Security numbers, patient records, and health insurance details. A hacker group known as SAFEEPAY Ransomware has claimed responsibility for the attack, intensifying concerns about cybersecurity in the governmental sector.
Conduent provides critical services to various state programs, managing sensitive information for approximately 100 million U.S. residents. For instance, the company administers Electronic Benefits Transfer (EBT) programs in states like Oregon. However, confusion has arisen as Oregon’s Department of Justice has listed that nearly 10.5 million individuals were affected, despite the state having a population of just 4.9 million. Efforts have been initiated to seek clarification from the Oregon attorney general’s office regarding this discrepancy.
In compliance with state regulations, affected residents are receiving data breach notification letters that outline the circumstances of the breach and may include codes for free identity theft protection services for periods ranging from 12 to 24 months. Notifications have been dispatched to residents in Delaware, Indiana, Maine, Massachusetts, New Hampshire, Oregon, and Vermont.
A spokesperson for Conduent informed TechCrunch that the company is conducting a thorough analysis of the affected data to identify the specific personal information involved. However, they did not confirm the number of notifications sent or the total number of affected individuals. The company anticipates completing the notification process by early 2026.
In light of such breaches, it is essential for individuals to remain vigilant. Companies that experience data breaches often provide resources such as a year of credit monitoring or access to identity theft protection services. If such services are not offered, individuals are encouraged to consider investing in identity theft protection independently.
Staying alert for phishing attempts and social engineering scams is vital, particularly those that prompt immediate action. Advisably, individuals should revise old passwords, utilizing complex combinations or password managers to enhance security. Lastly, closing out unused online accounts can reduce the risk of exposure of sensitive information.
As details about the Conduent breach continue to evolve, updates will be provided as more information becomes available. The necessity for robust cybersecurity measures is underscored, highlighting both the vulnerabilities present and the importance of proactive strategies for consumers.