Conduent Business Services has confirmed to the Department of Health and Human Services Office for Civil Rights (OCR) that a network intrusion lasting roughly three months between October 2024 and January 2025 exposed the protected health information of at least 62,224,658 individuals. The incident is now ranked as the third-largest healthcare data breach in U.S. history, trailing only the 2024 Change Healthcare breach (192.7 million) and the 2015 Anthem Inc. breach (78.8 million).
What Happened
Conduent Business Services, a vendor providing printing, mailing, document processing, payment integrity, and back-office services to healthcare providers, health plans, and government agencies, first detected the security breach on January 13, 2025. A subsequent forensic investigation revealed that intruders had established access to the company's network on October 21, 2024, giving them an undetected dwell time of approximately three months. Initial reports filed with the state attorneys general in Oregon and Texas indicated at least 25 million Americans had been affected, but the recently updated submission to OCR significantly expanded that figure to over 62.2 million.
What Was Taken
The compromised data set consists of protected health information (PHI) covered under HIPAA. Exposed elements include full names, physical addresses, Social Security numbers, and medical records. Because Conduent operates as a business associate to numerous HIPAA-covered entities, the dataset spans multiple downstream healthcare providers, health plans, and government clients. Officials have warned that the total number of affected individuals could climb even higher, as it remains unclear whether every covered entity delegated breach notification responsibilities to Conduent or filed independently.
Why It Matters
The Conduent incident pushes the running total of individuals affected by large healthcare data breaches tracked by OCR past the one-billion mark since reporting began under the HITECH Act of 2009. It reinforces a now-familiar pattern: third-party service providers and business associates have become the highest-leverage targets in the healthcare ecosystem, where a single intrusion can cascade across dozens of covered entities and tens of millions of patients. Missouri regulators and other state authorities are scrutinizing the notification process, and HIPAA-covered clients of Conduent remain legally accountable even when delegation of notification was offered.
The Attack Technique
Conduent has not publicly attributed the intrusion to a named threat actor, nor has it disclosed the initial access vector. What is confirmed is the timeline: intruders gained access on October 21, 2024, and operated undetected within the environment for approximately 84 days before discovery on January 13, 2025. The three-month dwell time is consistent with intrusions involving stolen credentials, exposed remote access services, or exploitation of edge appliances, where lateral movement and staged exfiltration proceed quietly behind legitimate-looking traffic. The breadth of PHI collected suggests access to bulk document processing and mailing systems central to Conduent's service offering.
What Organizations Should Do
- Inventory all business associate relationships and confirm in writing which party will issue breach notifications under HIPAA; do not assume the vendor has covered it.
- Audit third-party vendor environments for dwell-time detection capability, including EDR coverage, identity monitoring, and egress anomaly detection on document processing systems.
- Enforce phishing-resistant MFA and conditional access on all remote access and administrative entry points used by business associates and their staff.
- Segment back-office processing environments from broader corporate networks to limit lateral movement once an initial foothold is established.
- Review and exercise the incident response and breach notification playbook with vendor partners, including legal and communications workflows for multi-state attorney general filings.
- Monitor for downstream identity-theft and medical-fraud activity tied to exposed SSNs and medical records, and prepare patient-facing notification and credit monitoring resources.
Sources: Conduent Business Services Data Breach Affected More Than 62.2 Million Individuals · Utopia Tech