In January 2025, news first surfaced about a massive data breach at Conduent Business Services, a vendor that provides printing, mailing, document processing, payment integrity, and other back-office services to healthcare providers, health plans, and government agencies. Conduent first identified the security breach on January 13, 2025; however, the forensic investigation determined that hackers had access to its computer network for three months, starting on October 21, 2024.
At the time, the true scale of the breach was unknown. Based on breach reports submitted to the state attorneys general in Oregon and Texas, at least 25 million Americans were known to have been affected in those states alone; however, the full scale of the breach has only recently been confirmed. Conduent has provided an updated total to the Department of Health and Human Services Office for Civil Rights (OCR), indicating that the protected health information of at least 62,224,658 individuals was compromised in the incident.
When a data breach occurs at a business associate of a HIPAA-covered entity, it is ultimately the responsibility of each affected covered entity to ensure that notifications are issued about the breach, including to OCR, the media, and the affected individuals. HIPAA-covered entities must ensure that the notifications are issued, but they may delegate that responsibility to the business associate.
Conduent offered to send notifications on behalf of its covered entity clients, but it is unclear whether each affected covered entity delegated that responsibility to Conduent. The total number of affected individuals may therefore be higher. At more than 62.
2 million individuals, the data breach ranks as the third-largest healthcare data breach of all time , behind the 2024 data breach at Change Healthcare, which affected an estimated 192. 7 million individuals, and the 2015 data breach at Anthem Inc. , which affected approximately 78.
8 million individuals. Since 2009, OCR has been publishing summaries of healthcare data breaches affecting 500 or more individuals on its website, as required by the HITECH Act of 2009. The addition of the Conduent Business Services data breach sees the number of individuals affected by large healthcare data breaches increase to more than 1 billion.
Between October 2009 and April 2026, the protected health information of 1,033,206,197 Americans has been breached. May 12, 2026: Missouri Regulators Claim Conduent is Stonewalling State’s Data Breach Investigation An investigation by regulators in Missouri into the 2024 hacking incident at Conduent Business Services has stalled. The Missouri Department of Commerce claims it is being stonewalled by Conduent, which has not provided the information it requires about the data breach.
Conduent, a provider of printing, mailroom, document processing, payment integrity, and other back-office support services, discovered in January 2025 that hackers accessed parts of its network between October 21, 2024, and January 13, 2025, and potentially exfiltrated files containing electronic protected health information. Data potentially compromised in the incident included names, addresses, social security numbers, and medical records.
Conduent has taken steps to notify insurers, members, and law enforcement about the cybersecurity breach and has offered the affected individuals 12 months of complimentary credit monitoring services. The breach was significant, affecting tens of millions of individuals. In a February 2025 filing with the Wisconsin Department of Agriculture, Trade, and Consumer Protection, Conduent estimated that 25 million individuals were affected; however, 16 months after the discovery of the data breach, the full scale of the data breach has yet to be confirmed.
On March 17, 2026, the Missouri Department of Commerce issued an insurance bulletin seeking information about the data breach, in which it strongly encouraged all insurers and other entities regulated by the department to determine if their members had been affected and, if so, to ensure that they are notified by Conduent. The Department of Commerce said it has been in direct contact with Conduent since it issued the bulletin; however, Conduent has been unwilling to provide the department with the information it requires to fully assess the impact of the data breach.
While the Department of Commerce claims Conduent has been unwilling to answer the questions, Conduent may not be able to provide those answers. “We are concerned and disappointed that Conduent has not provided sufficient information for regulators to fully assess the potential impact of this breach,” DCI Director Angela Nelson said. “Clear and timely communication is critical in these situations, and we are continuing to seek the details needed to evaluate any risk to Missouri insurance consumers.”
The matter has now been escalated by the Department of Commerce, which issued another bulletin requesting insurers share information directly with the department about any Conduent services used, or those of its affiliates, prior to or during the period of the breach, along with information about the nature of those services. “We are committed to using every tool available to understand the scope of this incident and to ensure Missourians have the information and resources needed to protect themselves,” Director Nelson said.
“Because of Conduent’s failure to provide information, the Department asks that any insurer or other entity regulated by the Department that utilized the services of Conduent or any of its affiliates prior to or during the time period of the cybersecurity breach, either directly or indirectly, contact the Department’s Market Conduct Section,” states the Department of Commerce in the bulletin .
Originally published at hipaajournal.com
