Conduent Business Services, a back-office contractor handling benefits and HR data for state Medicaid programs, employer health plans and government agencies, has confirmed a ransomware-driven data theft impacting more than 25 million Americans. In February 2026, Texas Attorney General Ken Paxton publicly characterized the incident as the largest data breach in U.S. history. Notification letters began reaching victims earlier in 2026, ending a months-long disclosure cycle tied to intrusions that took place between October 2024 and January 2025.

What Happened

Threat actors maintained access to Conduent's environment for roughly three months, from October 2024 through January 2025, before the company contained the activity. During that window, ransomware operators exfiltrated structured records from systems supporting Medicaid administration, employer-sponsored health plans and government HR processing. Because Conduent is a downstream processor rather than a consumer-facing brand, most affected individuals had no prior relationship with the company and only learned of the exposure through breach notification letters. Texas AG Paxton's February 2026 characterization elevated the incident from a routine vendor disclosure into the benchmark U.S. breach by victim count.

What Was Taken

The exfiltrated data set is unusually rich and well-suited to long-tail identity fraud. Confirmed elements include:

The combination of immutable identifiers (SSN, DOB) with healthcare-specific fields (diagnosis codes, claim numbers) enables not only classic financial fraud but also medical identity theft, fraudulent insurance claims and targeted social engineering against patients and providers.

Why It Matters

This breach reframes third-party risk in the public-benefits supply chain. Conduent sits behind state agencies and employer plans that most citizens never see, yet it aggregates data from tens of millions of beneficiaries into a single high-value target. A 25 million record loss out of a contractor most victims had never heard of underscores how concentration in benefits processing creates systemic exposure. The mismatch between breach scale and the standard remediation offer of one year of credit monitoring also highlights the limits of post-incident victim support when the exposed data is permanent.

The Attack Technique

Public reporting attributes the intrusion to ransomware operators conducting double-extortion style activity, with data theft preceding or accompanying encryption. The dwell time of approximately three months between initial access in October 2024 and containment in January 2025 is consistent with established ransomware tradecraft: initial foothold, credential harvesting, lateral movement, staging and bulk exfiltration of structured benefits and claims data. The specific intrusion vector and the named threat group have not been publicly confirmed in the available reporting.

What Organizations Should Do

  1. Inventory and segment third-party processors that aggregate identity, health or benefits data, and require continuous monitoring of their environments rather than annual attestations.
  2. Hunt for long-dwell ransomware precursors: Cobalt Strike beacons, abnormal RMM tooling, suspicious scheduled tasks and large outbound transfers to cloud storage providers.
  3. Enforce phishing-resistant MFA and just-in-time privileged access for any contractor with bulk access to PII, PHI or claims data.
  4. Implement egress controls and DLP rules on databases containing SSNs, DOBs and medical codes; alert on unusual volumetric reads from claims and eligibility tables.
  5. Stress test breach notification, call center and credit monitoring vendors against a 25M-scale event, including downstream state AG reporting obligations.
  6. For affected individuals, drive customers and employees toward credit freezes at all three bureaus, IRS Identity Protection PINs, weekly free reports via AnnualCreditReport.com and recovery workflows at IdentityTheft.gov.

Sources: Conduent breach hits 25M in what Texas AG Paxton calls largest ever | Fox News