Conduent Business Solutions LLC has disclosed a major data breach affecting over 10.5 million individuals, including patients of Blue Cross Blue Shield of Montana and Humana. The breach, discovered in January, involved unauthorized access by a threat actor to a limited portion of Conduent's environment, resulting in the theft of sensitive data. The incident is considered one of the largest healthcare data breaches of 2025, with notifications sent to state regulators and impacted individuals, though the full scope across other sectors remains unclear.
Conduent reported the incident to the U.S. Securities and Exchange Commission in April, following operational disruptions and public notices from affected state agencies such as Oklahoma. The company has not specified whether clients outside the healthcare sector were impacted. Upon discovery, Conduent activated its cybersecurity response plan and engaged external experts to assist with the investigation and remediation efforts. The breach has not yet appeared on the U.S. Department of Health and Human Services' HIPAA breach reporting website, likely due to a federal shutdown at the time of reporting.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
By early November 2025, reporting indicated that legal complaints and regulatory investigations were piling up in response to the Conduent breach. The incident's fallout was described as ongoing and significant given its scale and healthcare impact.
By late October 2025, Conduent's SEC filing and state breach notifications showed that data theft affected more than 10.5 million people, including clients such as Humana and Blue Cross Blue Shield of Montana. The exposed information included Social Security numbers, medical information, and health insurance data, making it one of the largest healthcare-related breaches of 2025.
Montana regulators disclosed they were investigating a Conduent-related breach affecting about 462,000 Blue Cross Blue Shield of Montana members. The inquiry also raised concerns about an approximately 10-month delay in notifying affected individuals.
After assessing the stolen data, Conduent started notifying affected clients and regulators in multiple states as required by law. State filings later showed exposure of sensitive personal and health-related data across several jurisdictions.
In February 2025, the SafePay ransomware gang claimed the attack, alleging it stole 8.5 TB of data and threatening to publish or sell the information. Conduent said it had not seen evidence that the exfiltrated data was posted publicly or released on the dark web.
Following discovery of the breach, Conduent brought in external cybersecurity and data-mining experts to investigate the stolen files and involved federal law enforcement. The company later said it spent about $2 million on response efforts and expected some cyber insurance recovery.
On January 13, 2025, Conduent detected the incident, disclosed an operational disruption, and determined that an unnamed threat actor had accessed a limited portion of its environment and exfiltrated files tied to a limited number of clients. The company said some systems were restored within hours and others within days.
Attackers gained unauthorized access to Conduent's environment on or about October 21, 2024, beginning a months-long compromise that later led to data theft. Reports indicate the intrusion persisted until it was discovered in January 2025.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
12 references tracked. Mallory keeps watching after this page renders.
govinfosecurity.com
Open sourcebankinfosecurity.com
Open sourcebankinfosecurity.com
Open sourcegovinfosecurity.com
Open sourcetherecord.media
Open sourcescworld.com
Open sourcebankinfosecurity.com
Open sourcegovinfosecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.