Conduent, a back-office contractor that processes documents and claims for healthcare providers and government agencies, has confirmed a data breach affecting 62,224,658 individuals. In a filing submitted to the US Department of Health and Human Services' Office for Civil Rights on 4 June 2026, the company disclosed a figure that ranks the incident among the three largest healthcare-linked breaches ever recorded. The SafePay ransomware group has claimed responsibility.
What Happened
Attackers first gained access to Conduent's network on 21 October 2024 and remained inside undetected until the company identified the intrusion on 13 January 2025, a dwell time of roughly three months. During that window, the SafePay ransomware group says it exfiltrated around 8.5 terabytes of data.
The reported victim count climbed steadily over time. Early estimates measured the exposure in the low tens of millions before individual states began reporting far higher figures. Texas alone was eventually informed that more than 15 million of its residents were affected. The mid-year update to 62 million consolidated those scattered regional disclosures into a single number and cemented the incident's place among the worst in the sector.
What Was Taken
Because of Conduent's role as a processor of sensitive documents, the stolen records reflect the most damaging categories of personal data. Exposed information is reported to include Social Security numbers, medical information, health insurance details, and Medicaid claims data.
This is material that cannot be reissued the way a compromised payment card can. A Social Security number, a medical history, and a Medicaid claim follow an individual for life, giving attackers durable value from a single theft. The 8.5 terabytes SafePay claims to hold represents an enormous volume of this high-sensitivity data.
Why It Matters
Vendor and processor breaches hit disproportionately hard because a single compromised contractor sits between dozens or hundreds of downstream healthcare providers and government agencies. One intrusion cascades across every organization that entrusted data to that vendor, which is how a single back-office contractor ends up accountable for 62 million exposed people.
For defenders, the incident is a reminder that third-party processors concentrate risk. The most sensitive data in a healthcare ecosystem often does not live with the provider that collected it, but with the claims and document contractors behind them, expanding the attack surface far beyond any one organization's direct control.
The Attack Technique
The intrusion is attributed to the SafePay ransomware group, which claimed both responsibility and the exfiltration of roughly 8.5 terabytes of data. The publicly shared timeline shows initial access on 21 October 2024 and detection on 13 January 2025, meaning the attackers operated inside the network for approximately three months before discovery.
That extended dwell time is the defining feature of the attack. Three months of undetected access is more than enough to map an environment, locate high-value data stores, and stage a multi-terabyte exfiltration before defenders react. Specific initial-access vectors have not been detailed in the disclosures reviewed here.
What Organizations Should Do
- Inventory and risk-rank every third-party processor that handles regulated data, treating vendor environments as an extension of your own attack surface.
- Contractually require vendors to disclose breach detection timelines and to demonstrate monitoring capable of catching multi-month dwell time.
- Deploy and tune detection focused on large-volume outbound data transfers, which is the signal an 8.5 TB exfiltration would generate.
- Segment and monitor access to sensitive data stores so that a single compromised foothold cannot quietly reach Social Security numbers and medical records.
- Maintain and rehearse an incident response plan that assumes a vendor breach, including downstream notification obligations under HIPAA and state law.
- For affected individuals, enforce credit freezes and long-term monitoring, since exposed SSNs and medical data cannot be reissued.
Sources: Conduent Breach Hits 62 Million in Healthcare Data Theft