I woke to a text: “Your insurer’s vendor was hacked.” You scroll, then stop—because the numbers keep climbing. For a split second you understand your address, your Social Security number, your medical notes might now be someone else’s file.
A morning email arrives: The timeline you need to follow
I tracked the notices so you don’t have to. Conduent, the New Jersey–based service provider spun off from Xerox in 2017, disclosed it discovered a “cyber incident” on January 13, 2025. The company says the intrusion ran from October 21, 2024, through that discovery date.
At first the public tally was patchy. State disclosures and press reports have pushed the known reach to about 26 million people so far, and officials warn the number could grow as investigations continue.
A printed folder left on an office chair: What data was taken
The evidence points to records you don’t want floating on the dark web. Names, Social Security numbers, unspecified medical details, and health-insurance information were among the items exfiltrated from systems Conduent holds for health plans.
Conduent’s notice is blunt: not every data element was present for every individual. That means some people may have only had a Social Security number exposed; others may have had insurance or medical data exposed instead.
The Safepay ransomware group claims responsibility and reportedly grabbed over 8 terabytes of files. Conduent says it is not aware of any attempted or actual misuse yet, but uncertainty is the operative word.
Metaphor 1: the company’s archive was treated like a cracked vault—door open, contents visible.
A state website posts a notice at midnight: Which states and how many people
State-by-state disclosures have stitched together the scale. Oregon reported about 10.5 million impacted; Texas figures have jumped in public statements from a reported 4 million to a claim of 15.4 million in some media coverage, which would amount to roughly half that state’s population. Small states registered small counts too—Maine lists 374 affected residents.
Those patchwork tallies are why the total keeps changing. The Texas Attorney General, Ken Paxton, labeled the breach possibly the largest in U.S. history and demanded information from Conduent and partner insurers. New Jersey media report a class action lawsuit pending in state court, and federal- and state-level inquiries are active.
An EBT outage alert blinks on your dashboard: Operational fallout
Real-world services hiccupped. In January 2025, electronic benefit transfer (EBT) outages in Wisconsin and Oklahoma were connected to the same Safepay incident, demonstrating how a single vendor compromise can ripple into public programs.
Conduent employs roughly 56,000 people worldwide and handles payment and document processing for large health insurers and governments. The company’s public statements and offerings—such as free credit monitoring and identity restoration through Eqiq for some victims—are part of the immediate response; enrollment deadlines, for example in California, run through April 30, 2026.
An attorney skims a ransom note: Who claimed responsibility and what that means
Safepay’s claim and the reported 8 TB haul put this in the ransomware era’s upper tier. It’s not clear whether a ransom demand was filed publicly; extortion groups sometimes use theft as leverage and sometimes sell or leak data without negotiating.
News outlets covering the incident include Bleeping Computer, Fox News, and NJ.com. Regulators and state attorneys general are moving to get records from insurers and Conduent. Expect legal motions, discovery, and subpoenas that will gradually illuminate what was taken and why safeguards failed.
Your next moves: Practical steps to reduce risk
You don’t get to be passive here. If you receive a notice or suspect exposure, act deliberately and keep records of every communication from Conduent, your insurer, and state authorities.
How many people were affected by the Conduent breach?
Short answer: the number is still growing. Public tallies reported by states—Oregon’s 10.5 million and the evolving Texas totals—bring the running known total to about 26 million, but ongoing disclosures could raise that figure.
What data was exposed in the Conduent hack?
Names, Social Security numbers, some health information, and health-insurance data have been reported. Conduent emphasizes not every record contained every element, but any exposure of Social Security numbers or medical details raises identity and privacy risks.
What should I do if my data was in the breach?
Call the Conduent helpline at (866) 291-3678 (Mon–Fri, 9:00 a.m.–6:30 p.m. ET) if you have questions. Enroll in offered services such as Eqiq’s monitoring if you qualify and the enrollment window is open. Freeze your credit if you suspect SSN exposure, watch insurance statements for unexpected claims, and set alerts on bank and credit-card activity.
Practical checklist: record notification dates, export any breach letters, change passwords tied to medical portals, and place fraud alerts with the three major bureaus.
Metaphor 2: when a data reservoir springs a hole, information flows outward like a leaking dam—small at first, then harder to stop.
A newsroom watches the filings: Legal and reputational stakes
Class actions and regulatory probes will test whether Conduent and its client insurers met industry standards. Plaintiffs will seek damages and proof of reasonable safeguards; regulators will examine vendor management and incident response timelines.
For health plans that outsource processing, the case will be a stare-at-the-contract moment. Expect subpoenas, vendor audits, and public records requests to surface more granular timelines and technical details over time.
A late-night call to your relative: The human cost
People whose medical histories, Social Security numbers, or insurance IDs were exposed face a cascade of hassles: frozen accounts, protracted disputes, and the slow burn of identity restoration. That’s the real ledger here—hours spent on the phone, stress, and distrust.
I will keep watching filings from Conduent, statements from Ken Paxton and state attorneys general, and reporting from outlets such as Bleeping Computer and NJ.com to track meaningful developments. For now, what are you going to do tonight to protect the data you still control?