Third-Party Risk Management,
Data Breach Notification,
Data Security
Conduent Data Breach Affects Millions, Including Clients Humana and BCBS Montana
A significant cybersecurity incident has emerged as Conduent Business Solutions LLC disclosed that over 10.5 million patient records were compromised in a breach detected in January. Among the clients impacted are notable healthcare providers, including Blue Cross Blue Shield of Montana and Humana, alongside several unidentified organizations.
This breach may potentially mark the largest health data incident of 2025, although it has yet to be reported on the U.S. Department of Health and Human Services’ HIPAA breach reporting site—a probable consequence of the federal shutdown. Conduent has not clarified whether clients from sectors outside healthcare were also affected.
In correspondence with the U.S. Securities and Exchange Commission (SEC), Conduent revealed that the breach involved unauthorized access by an unnamed threat actor. Following the incident, the company initiated its cybersecurity response plan in collaboration with external experts to manage and mitigate the breach, restoring most affected systems rapidly.
According to the initial investigation, hackers exfiltrated a limited set of files associated with some of Conduent’s clients. The company is actively analyzing the impact of the data accessed and has ensured that affected clients are informed in line with applicable federal and state requirements. Fortunately, Conduent reported that there has been no indication that the compromised data is available on dark web markets or publicly disseminated.
Among the affected organizations, sample notifications sent to clients from Humana and Blue Cross Blue Shield of Montana indicate that the breach compromised various personal details such as names, treatment dates, costs, and insurance numbers. State regulators in Montana are currently investigating the incident, particularly why notification to affected individuals was delayed for nearly ten months.
This hack underscores an ongoing vulnerability within the healthcare sector, which has repeatedly been a target for cybercriminals. The attack tactics likely align with several MITRE ATT&CK techniques, including initial access via phishing or exploiting external vulnerabilities, which facilitated the unauthorized data access. The complexity of handling personal health information emphasizes the necessity for robust third-party risk management strategies in healthcare environments.
As the landscape of cyber threats continues to evolve, healthcare organizations must take proactive steps to fortify their defenses. Recommendations include rigorous vendor assessments, enhancing data access controls, and ensuring ongoing employee training to recognize potential cybersecurity threats early. Such measures are vital for maintaining the integrity of sensitive health data and protecting the information of millions of patients.
