There’s a company called Conduent that most Americans have never heard of. It processes Medicaid claims, distributes SNAP benefits, handles child support payments, and manages unemployment insurance for more than 100 million people across the United States. If you’ve ever received a government benefit, there’s a real chance Conduent has your Social Security number, your medical history, and your home address.

Hackers had access to all of it for 84 days.

From October 21, 2024 to January 13, 2025, an unauthorized party roamed Conduent’s systems, pulling files containing names, Social Security numbers, medical records, and health insurance data. The SafePay ransomware group claimed responsibility and says it stole 8.5 terabytes of data. To put that in perspective: the entire printed collection of the Library of Congress is estimated at around 10 terabytes.

The victim count keeps climbing. Texas initially reported 4 million affected residents. That number has since ballooned to 15.4 million, more than half the state. Oregon’s attorney general lists 10.5 million. Maine’s breach registry shows 7.6 million total affected individuals. The combined total across just Texas and Oregon: more than 25 million people. Hundreds of thousands more are being notified in Delaware, Massachusetts, New Hampshire, and other states. New Hampshire alone keeps revising its numbers upward, from 11,000 to more than 181,000 in six separate disclosure letters.

Texas Attorney General Ken Paxton called it “likely the largest breach in U.S. history.”

Nobody knows the final number. Conduent won’t say.

The Company You Never Signed Up For

Here’s the part that matters more than the numbers.

You didn’t choose Conduent. You didn’t sign their terms of service. You didn’t hand them your Social Security number because you trusted their security practices. Your state government hired them. Blue Cross Blue Shield of Texas contracted with them. And through that chain of outsourcing, your most sensitive personal data landed on servers you didn’t know existed, managed by a company you’d never heard of.

When a company you chose has a breach, you can stop using them. When a government contractor has a breach, you were never given a choice in the first place.

This is the core problem with government data collection. The state takes your money, then requires you to surrender personal information to claw some of it back. Think of it as a mugger who throws some cash around the neighborhood, but only if you show him your ID first. Then he loses the ID. Every government benefit program is a data collection program, and every data collection program is a future breach waiting to happen.

Conduent isn’t some scrappy startup. It’s the former business process services arm of Xerox, spun off in 2017 with $6.7 billion in annual revenue and 54,000 employees. Its predecessor, ACS, held over 1,700 government contracts. This is the blue-chip vendor class. The one that’s supposed to be safe.

It has a track record. ACS/Xerox/Conduent paid a $236 million settlement to Texas for rubber-stamping fraudulent Medicaid claims from 2004 to 2012. Texas responded by awarding Conduent another $147.7 million Medicaid contract in 2022. The entity that defrauded Medicaid patients is the same entity that just lost Medicaid patients’ data.

Ten Months of Silence

Conduent discovered the breach on January 13, 2025. Individual notifications didn’t begin until October 2025. That’s a ten-month gap between discovery and disclosure. People are finding out about a breach that started in October 2024 only now, in February 2026, more than a year after it ended.

Conduent says it “acted promptly and in alignment with incident response protocols.” Translation: their protocol includes taking ten months to tell you your Social Security number was stolen while they figure out a way to put a media spin on it.

Blue Cross Blue Shield of Montana learned it was affected in January 2025 and notified individuals in October 2025. When Montana’s insurance regulator scheduled a public hearing about the delay, BCBS Montana and Conduent tried to get a court order to block it. The judge denied them. Montana’s CSI Communications Director Tyler Newcomb said it plainly: “It is troubling that it appears [BCBS] attempted to avoid regulatory oversight and accountability by seeking to block this hearing.”

The incentive structure rewards delay. Notifications cost money ($25 million, per Conduent’s own SEC filing). Each month of “analysis” is another month of not paying for credit monitoring. The lawsuits come either way.

The Enforcement Joke

At least nine class action lawsuits have been filed and consolidated in New Jersey federal court. Texas AG Paxton issued Civil Investigative Demands. Montana held its hearing. Sounds like accountability.

Zoom out. The HHS Office for Civil Rights has collected $144.9 million across 152 HIPAA enforcement actions in its entire history. That’s less than one Super Bowl ad buy. HIPAA penalties in 2026 range from $145 to $2.19 million per violation. For a company that launched with $6.7 billion in revenue, those are rounding errors.

Change Healthcare exposed 190 million people in 2024. Anthem lost 78.8 million records in 2015. The pattern never changes: breach, delay, disclose, fine, repeat. The fines never exceed the profits. The contractors never lose their government contracts. Nobody goes to jail.

The people whose data was stolen (Medicaid recipients, SNAP users, unemployment claimants) are the least equipped to monitor their credit, freeze their files, or lawyer up. The system extracts data from the most vulnerable, hands it to the least accountable, and offers credit monitoring as a consolation prize.

What to Watch

The number isn’t done growing. Conduent says it handles data for 100 million people. Only 25 million have been confirmed affected in two states. As more states report and more clients come forward (Volvo Group just disclosed 17,000 employees affected), the final count could be multiples of what we know today.

The consolidated class action in New Jersey will be the main legal front. Watch for discovery deadlines, any evidence of what “basic security measures” Conduent did or didn’t implement, and whether SafePay’s 8.5 terabytes ever surface on the dark web. Conduent says they haven’t. That claim has an expiration date.

The deeper question is whether this changes anything structural. Government agencies have been outsourcing data processing to the lowest bidder for decades. The bidder gets the contract, the data, and the liability shield. The people whose data it is get a letter in the mail, sometimes a year later, and a phone number to call between 9 AM and 6:30 PM Eastern.

If your data was in Conduent’s systems, you’re stuck in the same place as 25 million other Americans: waiting for a notification letter that may never come, hoping hackers don’t use your information before you find out they have it, and wondering why you never had a say in who got to hold it.

Sources: TechCrunch, Conduent Official Notice, Texas AG, Security Magazine, HIPAA Journal, Malwarebytes, Oregon DOJ, Maine AG, WMUR, HHS OCR, SecurityWeek, Freedom for All Americans, BleepingComputer, TDMR, NJ.com