SYS::ONLINE
Wasteland.
Briefs1138
Issues18
SinceFeb 2026
LIVE
▣ Breach CONDUENT-HEALTHCAR 2026-07-09

Conduent: SafePay Ransomware Breach Exposes 62 Million

"Conduent, a back-office contractor that processes documents and claims for healthcare providers and government agencies, has confirmed a data breach affecting 62,224,658 individuals. In a filing submitted to the US…"

Conduent, a back-office contractor that processes documents and claims for healthcare providers and government agencies, has confirmed a data breach affecting 62,224,658 individuals. In a filing submitted to the US Department of Health and Human Services' Office for Civil Rights on 4 June 2026, the company disclosed a figure that ranks the incident among the three largest healthcare-linked breaches ever recorded. The SafePay ransomware group has claimed responsibility.

What Happened

Attackers first gained access to Conduent's network on 21 October 2024 and remained inside undetected until the company identified the intrusion on 13 January 2025, a dwell time of roughly three months. During that window, the SafePay ransomware group says it exfiltrated around 8.5 terabytes of data.

The reported victim count climbed steadily over time. Early estimates measured the exposure in the low tens of millions before individual states began reporting far higher figures. Texas alone was eventually informed that more than 15 million of its residents were affected. The mid-year update to 62 million consolidated those scattered regional disclosures into a single number and cemented the incident's place among the worst in the sector.

What Was Taken

Because of Conduent's role as a processor of sensitive documents, the stolen records reflect the most damaging categories of personal data. Exposed information is reported to include Social Security numbers, medical information, health insurance details, and Medicaid claims data.

This is material that cannot be reissued the way a compromised payment card can. A Social Security number, a medical history, and a Medicaid claim follow an individual for life, giving attackers durable value from a single theft. The 8.5 terabytes SafePay claims to hold represents an enormous volume of this high-sensitivity data.

Why It Matters

Vendor and processor breaches hit disproportionately hard because a single compromised contractor sits between dozens or hundreds of downstream healthcare providers and government agencies. One intrusion cascades across every organization that entrusted data to that vendor, which is how a single back-office contractor ends up accountable for 62 million exposed people.

For defenders, the incident is a reminder that third-party processors concentrate risk. The most sensitive data in a healthcare ecosystem often does not live with the provider that collected it, but with the claims and document contractors behind them, expanding the attack surface far beyond any one organization's direct control.

The Attack Technique

The intrusion is attributed to the SafePay ransomware group, which claimed both responsibility and the exfiltration of roughly 8.5 terabytes of data. The publicly shared timeline shows initial access on 21 October 2024 and detection on 13 January 2025, meaning the attackers operated inside the network for approximately three months before discovery.

That extended dwell time is the defining feature of the attack. Three months of undetected access is more than enough to map an environment, locate high-value data stores, and stage a multi-terabyte exfiltration before defenders react. Specific initial-access vectors have not been detailed in the disclosures reviewed here.

What Organizations Should Do

Sources: Conduent Breach Hits 62 Million in Healthcare Data Theft