Ransomware Government IT Services / Healthcare · United States · February 2026

Conduent Business Solutions

Analysis of the Conduent ransomware breach affecting over 25 million individuals including government benefits recipients. SafePay group claimed to have exfiltrated 8TB of data.

Records Affected

Over 25 million individuals (and growing)

Attack Type

Ransomware

Location

United States

Data types exposed

Names Social Security numbers dates of birth medical records health insurance details treatment information

What Happened

Conduent provides payment processing and benefits administration for US state governments and health insurers. The SafePay ransomware group claimed responsibility, asserting it exfiltrated over 8TB of data during a three-month dwell time from October 2024 to January 2025.
The breach initially appeared limited but expanded dramatically. Texas alone jumped from 4 million to 15.4 million affected residents. Compromised data includes SSNs, medical information, and health insurance details for recipients of SNAP, Medicaid, and other government programmes.
The Texas Attorney General has launched an investigation. Multiple class-action lawsuits have been consolidated in New Jersey federal court. Conduent has reported $25 million in direct breach-related costs.

Timeline

  • October 21, 2024 — SafePay ransomware group gains initial access to Conduent systems
  • January 13, 2025 — Unauthorised access terminated after three-month dwell time
  • Early 2025 — Initial disclosure with limited scope
  • October 2025 — Individual notifications begin
  • February 2026 — Scope expanded to over 25 million individuals; Texas count rises to 15.4 million, Oregon to 10.5 million

Threat Actor Profile

SafePay is a ransomware group that emerged in late 2024 and rapidly became one of the most active groups targeting US government contractors and healthcare-adjacent organisations.
The group is known for large-scale data exfiltration prior to encryption, leveraging the volume of claimed stolen data as additional extortion pressure.

Impact and Risk Assessment

For Individuals

Over 25 million Americans, primarily recipients of government benefits including SNAP, Medicaid, and other social services, have had their personal data compromised.
Exposed SSNs, medical records, and health insurance details create long-term identity theft and medical fraud risk for some of the most vulnerable populations in the United States.
The extended notification timeline means many affected individuals may not yet be aware their data was compromised.

For Organisations

Conduent has earmarked $25 million for breach-related costs, with cyber insurance covering excess amounts.
State governments that contracted with Conduent face political and regulatory fallout over their vendor selection and oversight.
Downstream corporate clients such as Volvo Group North America have been affected, demonstrating cascading supply chain impact.

Regulatory Context

The Texas Attorney General has launched a formal investigation. HIPAA breach notification requirements apply to the healthcare data component.
Class-action lawsuits have been consolidated in New Jersey federal court, potentially setting precedent for third-party contractor liability in government data breaches.

What Should You Do?

For Individuals

  • If you receive government benefits in the United States, monitor your credit reports and benefits accounts for signs of misuse.
  • Consider placing a fraud alert or credit freeze, particularly if you reside in Texas or Oregon where the largest populations were affected.
  • Be alert to phishing attempts that may reference government benefits programmes.

For Security Professionals

  • Review your organisation's exposure to Conduent as a service provider and assess whether employee or customer data may have been included in the breach.
  • Use this incident to evaluate your vendor risk management programme, particularly for contractors handling government benefits data.
  • Ensure your contracts with third-party service providers include meaningful breach notification timelines and security requirements.

Learnings and Recommendations

This breach is a case study in third-party concentration risk. When a single contractor of this size is compromised, the fallout cascades across every entity that entrusted data to that contractor.
The notification timeline of more than a year between intrusion and individual notifications raises serious questions about third-party vendor oversight and contractual notification requirements.

References

[1] TechCrunch - Conduent data breach grows — https://techcrunch.com/2026/02/24/conduent-data-breach-grows-affecting-at-least-25m-people/
[2] Malwarebytes - The Conduent breach — https://www.malwarebytes.com/blog/news/2026/02/the-conduent-breach-from-10-million-to-25-million-and-counting
[3] HIPAA Journal - Conduent investigation — https://www.hipaajournal.com/conduent-business-solutions-data-breach/

Source

https://techcrunch.com/2026/02/24/conduent-data-breach-grows-affecting-at-least-25m-people/ ↗
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories