The scope of the cyberattack on government technology provider Conduent has swelled dramatically, with new state tallies showing the incident now impacts tens of millions of Americans. Fresh disclosures indicate at least 15.4 million people in Texas and another 10.5 million in Oregon had personal data exposed, underscoring the sprawling reach of a vendor that underpins critical public services nationwide.
The breach stems from a January 2025 ransomware intrusion that disrupted Conduent’s operations for days and triggered outages across multiple government services. Stolen information includes names, Social Security numbers, medical details, and health insurance data—precisely the kind of long-lived identifiers that fuel identity fraud and medical identity theft.
New Tallies From States Reveal The Breach’s Scale
Texas officials now estimate 15.4 million residents were affected—about half the state’s population and nearly quadruple the 4 million Conduent previously cited for Texas. Oregon’s attorney general placed that state’s count at 10.5 million. Those two alone push the confirmed total past 25 million, and additional state-by-state notices could further expand the number.
Conduent has not provided a definitive nationwide count. A company spokesperson said teams are still analyzing affected files to identify whose data was taken but did not answer how many notifications have been issued or whether the total could exceed the more than 100 million Americans the company says it reaches through government healthcare programs.
What Was Stolen And Why It Matters For Consumers
Names and Social Security numbers are difficult or impossible to change, and when paired with insurance identifiers or medical data, can enable fraudulent claims, tax refund theft, and creation of synthetic identities. The Federal Trade Commission warns that medical identity theft often surfaces only when victims spot unfamiliar procedures on Explanation of Benefits statements—sometimes months after a breach.
Health-related breaches carry outsized risk. The Department of Health and Human Services’ Office for Civil Rights has repeatedly flagged the downstream harm and regulatory exposure when business associates—contractors that handle protected health information—are compromised. Unlike payment card numbers, which can be reissued, health and identity data have a long shelf life on criminal markets.
Ransomware Fallout And Company Response
A ransomware group calling itself Safeway claimed responsibility and boasted of exfiltrating more than 8 terabytes of data. Conduent disclosed the incident months after the attack, later telling investors in a regulatory filing that the stolen datasets contained a significant amount of personal information tied to client end-users across both corporate and government accounts.
The company says it continues to notify affected individuals and expects to complete outreach in early 2026, without committing to a firmer timeline. Inquiries to Conduent were met with generalized statements that did not address key questions, including the total number of victims and the breadth of affected systems.
Critical Vendor At The Center Of Public Services
Conduent is a major contractor to U.S. states, providing technology and back-office operations for programs such as Medicaid claims processing, electronic benefits (EBT) administration, child support disbursements, and transportation tolling. When a provider of this scale is hit, the ripple effects can disrupt services across multiple states at once—a systemic risk long emphasized by the Cybersecurity and Infrastructure Security Agency and the Government Accountability Office in their guidance on third-party and supply chain security.
The sheer volume of sensitive data flowing through these systems makes data minimization, network segmentation, and least-privilege access more than best practice—they are essential controls. Frameworks such as NIST SP 800-53 and the Cross-Sector Cybersecurity Performance Goals highlight these measures, but implementing them across complex, decades-old government platforms remains a work in progress for many contractors.
What Affected Individuals Should Do Right Now
With Social Security numbers and insurance data in play, consumers should:
- Place a security freeze with the three major credit bureaus.
- Add fraud alerts to credit files.
- Monitor health insurer and provider portals.
- Review Explanation of Benefits statements for unfamiliar services and report discrepancies promptly.
- If offered, enroll in credit and identity monitoring; it is not a cure-all, but it can surface misuse earlier.
- Use the FTC’s identity theft resources to guide recovery steps if fraud occurs.
Given the ongoing data analysis, some individuals may receive notifications months apart as additional affected records are identified. Keep contact information current with insurers and state benefit programs to ensure delivery of any follow-up notices or replacement IDs.
The Compliance And Disclosure Lens On The Breach
Regulators have tightened expectations around cyber risk reporting. The SEC’s incident disclosure rules require prompt, materiality-focused updates to investors, while HIPAA requires notification to affected individuals and HHS for breaches involving protected health information handled by covered entities and their business associates. Large, multi-client incidents like Conduent’s can take months to untangle as teams map exposed files back to specific state programs and beneficiaries.
The expanding state figures make one point clear: safeguarding public-sector data now hinges as much on contractor security as on the agencies themselves. Until large service providers can prove that sensitive data is both minimized and strongly segmented, the country’s social safety net will remain exposed to outsized risk from a single compromise.
