How a 84-day ransomware intrusion at Conduent (Nasdaq: CNDT) became one of the largest healthcare data breaches in US history

Conduent Incorporated (Nasdaq: CNDT), a Florham Park, New Jersey-based business process outsourcing company that handles data for more than 100 million Americans, is at the centre of what authorities now describe as potentially the largest healthcare data breach in United States history. The company disclosed in March 2026 that Priority Health, a Michigan-based insurer with 1.4 million members, was among dozens of clients whose member data was compromised in a ransomware attack that ran undetected from October 21, 2024, to January 13, 2025. Affected data spanning names, Social Security numbers, medical records, and health insurance details has been confirmed for at least 25 million individuals across multiple states, with state attorneys general still adding to the count. Conduent’s stock has traded near its 52-week low throughout the disclosure period, closing around $1.29 on March 13, 2026, against a 52-week high of $3.19, as investors weigh the compound weight of class action litigation, federal regulatory scrutiny, and a business model whose entire value proposition rests on the secure custody of sensitive data.

How did the Conduent ransomware attack go undetected for nearly three months and expose data for 25 million Americans?

The breach’s timeline is as damaging to Conduent’s credibility as the breach itself. An unauthorized third party gained access to Conduent’s network on October 21, 2024, and maintained that access for 84 days before the company detected the intrusion on January 13, 2025. The Safepay ransomware group has claimed responsibility, asserting it exfiltrated more than 8.5 terabytes of data encompassing names, addresses, dates of birth, Social Security numbers, medical histories, and health insurance records. Conduent has not publicly confirmed the group’s identity or the precise volume taken, but has acknowledged that files containing personal information were removed from its environment.

For a company whose commercial purpose is processing and safeguarding the most sensitive categories of personal data on behalf of government agencies and major insurers, an 84-day dwell time raises fundamental questions about the adequacy of its detection capabilities. Conduent provides back-office services including claims administration, payment processing, document handling, and benefit eligibility verification to nearly half the Fortune 100 and more than 600 government agencies. The breadth of that client roster is precisely why the breach’s reach has proven so extensive.

Priority Health’s disclosure, published on March 13, 2026, illustrates a secondary dimension of the crisis. The insurer was not informed that its member data had been compromised until April 21, 2025, more than three months after Conduent discovered the breach. Priority Health attributed the notification delay to the complexity of the data sets Conduent needed to analyse before it could identify which client populations were affected. For Priority Health’s 1.4 million members across Michigan, Indiana, Ohio, and Wisconsin, that lag meant months of exposure without the opportunity to take protective action.

Which healthcare insurers and government agencies were affected by the Conduent breach across the United States?

The client roster of confirmed or probable victims illustrates how deeply embedded Conduent is across American healthcare and government infrastructure. Blue Cross Blue Shield of Texas has been identified as the single largest client exposure, with more than 4 million Texans initially cited, a figure since revised upward to at least 15.4 million by Texas state reporting, approaching half the state’s population. Oregon’s attorney general has separately confirmed 10.5 million affected residents. Delaware, Massachusetts, New Hampshire, Wisconsin, and Montana have all filed additional breach notifications, with Wisconsin’s attorney general updating its database to show at least 25 million Americans affected nationally.

Beyond private insurers, Conduent’s government services division processes food assistance programmes, unemployment benefits, child support payments, and other public welfare functions, meaning some affected individuals are among the most financially vulnerable Americans. The Wisconsin Department of Children and Families experienced service disruptions to its child support payment operations in the immediate aftermath of the January 2025 attack, a detail that underscores the operational dependency government agencies have built around Conduent’s infrastructure.

Conduent has stated it expects to complete individual consumer notifications by April 15, 2026, and is sending those letters on behalf of its affected clients. For many of the 25 million-plus people involved, a notification letter arriving in early 2026 will be their first indication that their Social Security number and medical records were compromised more than a year ago.

What are the legal and regulatory consequences facing Conduent from the data breach across healthcare and government sectors?

The litigation and regulatory exposure building around Conduent is substantial and still expanding. At least ten federal class action lawsuits have been consolidated before Judge Michael A. Hammer in the United States District Court for the District of New Jersey. The consolidated complaints allege negligence, negligence per se, breach of third-party beneficiary contract, unjust enrichment, and violations of the Federal Trade Commission Act alongside state consumer protection statutes. A Plaintiffs’ Steering Committee was appointed in December 2025 to coordinate the litigation.

The regulatory dimension is potentially more consequential over the long term. As a HIPAA business associate, Conduent is subject to the HIPAA Security Rule requirements that apply to the handling of protected health information. The United States Department of Health and Human Services Office for Civil Rights has opened an investigation, following the pattern it established after the 2024 Change Healthcare breach, which affected approximately 192 million people. The Texas Attorney General’s office launched a separate probe on February 22, 2026, with the stated possibility of civil penalties and multi-state coordination. Montana’s attorney general has also initiated proceedings.

Conduent has projected total data breach remediation costs of approximately $25 million, having spent $9 million on breach notifications by late 2025 and expecting to spend a further $16 million by the end of the first quarter of 2026. Cyber insurance is expected to offset some additional costs. However, that $25 million estimate explicitly excludes litigation defence costs, any eventual class action settlement, regulatory civil monetary penalties, and the harder-to-quantify reputational cost to a company whose competitive proposition is the trustworthy custody of sensitive data.

How does Conduent’s stock performance and financial position reflect the scale and severity of the data breach fallout?

Conduent’s market position entering this crisis was already fragile. The company closed at $1.29 on March 13, 2026, within sight of its 52-week low of $1.18, and down sharply from its 52-week high of $3.19. The market capitalisation stands at approximately $200 million against trailing twelve-month revenue of $3 billion, a price-to-sales ratio of roughly 0.07 that reflects deep investor scepticism about the company’s trajectory. Morningstar’s analysts assign Conduent a fair value of $8.81 per share, suggesting the stock trades at a pronounced discount to intrinsic value estimates, though that gap has not translated into buying confidence given the accumulation of operational and legal headwinds.

The company’s full-year 2025 adjusted EBITDA rose 32 percent to $164 million, and adjusted EBITDA margin improved to 5.4 percent, results management presented as evidence of operational progress. Fourth-quarter new business annual contract value reached $152 million, up 11 percent year over year. However, revenue declined 4.2 percent to $3.04 billion for the full year, free cash flow remained deeply negative at negative $130 million, and net income on a trailing twelve-month basis stood at negative $170 million. Management’s stated medium-term target of 8-to-10 percent adjusted EBITDA margins depends on converting that profitability improvement into positive free cash flow, a transition the mounting legal and remediation cost structure will complicate.

In January 2026, Conduent appointed Harsha V. Agadi as Chief Executive Officer, replacing Cliff Skelton and signalling a leadership reset at a moment of institutional crisis. The company simultaneously opened an AI Experience Center at its Florham Park headquarters, a move designed to demonstrate innovation capacity and forward momentum. The juxtaposition of that marketing initiative with the ongoing breach notification rollout speaks to the credibility challenge Conduent’s new leadership faces.

What does the Conduent breach reveal about third-party vendor risk in healthcare data management and government outsourcing?

The Conduent incident has become the definitive modern case study in third-party vendor risk, and its implications extend well beyond the company itself. Priority Health’s disclosure is explicit that its own systems were not compromised and that the breach occurred entirely within Conduent’s environment. That framing is legally significant but strategically cold comfort. In practical terms, 1.4 million Priority Health members have had their personal and medical data exposed through a vendor relationship their insurer controlled.

The HIPAA Security Rule’s business associate provisions exist precisely to address this dynamic. Covered entities such as health insurers are legally responsible for ensuring that every business associate handling protected health information maintains security standards equivalent to their own. Regulators and plaintiffs’ attorneys are likely to test that principle aggressively as the litigation and HHS Office for Civil Rights investigation proceed. The question of whether Priority Health and other insurers conducted sufficient vendor due diligence and whether their business associate agreements contained adequate security representations will become central to those proceedings.

For the broader healthcare and government outsourcing sector, the Conduent breach will accelerate an already evident trend toward vendor consolidation audits, tighter business associate agreement requirements, and increased cyber insurance underwriting scrutiny. Competitors providing similar post-payment recovery, claims processing, and government benefit administration services, including companies such as Evolent Health, Cotiviti, and Maximus Federal Services, can expect existing and prospective clients to apply a significantly higher bar for security attestation and contractual liability allocation than was standard before this incident.

The notification delay is a separate and serious problem. The nearly ten-month gap between Conduent’s discovery of the breach in January 2025 and the initiation of individual consumer notifications in late 2025 is likely to draw specific regulatory and judicial attention. Most US state breach notification laws and HIPAA’s own Breach Notification Rule require notification within 60 days of determining that a breach has occurred. The complexity defence Conduent has offered, namely the sheer volume of data requiring analysis, has some factual basis given the scale of the exfiltration. Whether regulators accept it as justification will be tested in the months ahead.

Key takeaways on what the Conduent and Priority Health data breach means for the healthcare outsourcing industry and affected members

• Conduent’s breach has reached at least 25 million confirmed victims across the United States, with Oregon and Texas accounting for the majority, and state-level counts continuing to rise. The final number may exceed this substantially.
• The 84-day undetected dwell time exposes critical gaps in Conduent’s threat detection capabilities, raising immediate questions for every client that has a business associate agreement in place.
• Priority Health’s disclosure that it was not informed until April 2025 — more than three months after Conduent’s discovery — illustrates the cascading notification failure that regulators are most likely to penalise.
• Conduent’s projected $25 million remediation cost is almost certainly a floor. It excludes litigation settlements, regulatory penalties, and the long-term revenue impact of client attrition from a company whose core competitive asset is data security trust.
• The HHS Office for Civil Rights investigation follows a pattern established after Change Healthcare and could result in substantial HIPAA civil monetary penalties. The Texas and Montana attorneys general investigations add state-level exposure.
• At least ten consolidated federal class action lawsuits allege negligence, breach of contract, and consumer protection violations. Third-party beneficiary theory is the key legal mechanism plaintiffs are using to circumvent HIPAA’s absence of a private right of action.
• CNDT stock at approximately $1.29 sits within striking distance of its 52-week low of $1.18, and the combination of negative free cash flow, mounting legal liability, and reputational damage makes a sustained recovery materially harder to execute.
• New Conduent Chief Executive Officer Harsha V. Agadi, appointed in January 2026, inherits a leadership mandate defined as much by crisis management as by the AI-driven transformation story the company is attempting to tell investors.
• For healthcare insurers, government agencies, and corporations with outsourced back-office data functions, the Conduent breach is a forcing event: vendor security audit frameworks, business associate agreement liability clauses, and cyber insurance vendor provisions are all due for structural review.
• Priority Health members and other affected individuals must enrol in Conduent’s two-year credit monitoring offering by March 31, 2026. Enrolment does not waive the right to participate in class action proceedings.