Data Breach Notification,
Data Privacy,
Data Security
2025 Sees Major Data Breach Affecting 10.5 Million Individuals, Multiple Insurers, State Authorities
In the wake of a significant data breach disclosed by Conduent Business Solutions, numerous class-action lawsuits are beginning to accumulate. The incident, which occurred in October 2024, is reported to have compromised personal and health-related information of over 10.5 million individuals.
At least nine lawsuits have been filed against Conduent in a federal court in New Jersey since October 27, coinciding with the company’s breach report to state regulators. The complaints allege that Conduent failed to adequately secure sensitive data, leaving it vulnerable to cybercriminal activity.
Furthermore, legal representatives from various law firms have announced they are conducting investigations into the breach to assess further legal action. Conduent, headquartered in New Jersey, provides an array of back-office services to businesses and government functions across 22 countries and posted $3.4 billion in revenue for the year 2024.
The allegations in the lawsuits suggest negligence on Conduent’s part, emphasizing the company’s failure to implement appropriate security measures to protect the personal information of its clients. One plaintiff, Brian Marshall, asserts that by collecting and maintaining sensitive information, Conduent assumed a duty to safeguard that data against breaches.
Notably, the affected entities include major health insurers such as Blue Cross Blue Shield of Montana and Texas, as well as state agencies, including Oklahoma’s Department of Human Services. However, Oklahoma’s DHS stated that Conduent confirmed there was no impact to their data from the breach.
On the other hand, Premera Blue Cross clarified that the compromise involved data managed by Conduent, a contracted third-party vendor, assuring that their own systems were not breached. Conduent has since implemented steps to enhance system security, notified law enforcement, and is directly communicating with impacted individuals.
Current Investigations and Regulatory Scrutiny
In addition to litigation, state regulators in Montana are also investigating the breach, particularly focusing on the delayed notification process for the 462,000 affected members. As it stands, this incident is anticipated to rank as the most severe healthcare data breach of 2025, although it has yet to be officially recorded on the U.S. Department of Health and Human Services’ breach reporting platform, likely due to the federal government shutdown.
According to reports filed with the U.S. Securities and Exchange Commission, the breach allowed a “threat actor” access to a portion of Conduent’s operational environment, with compromised data potentially including names, Social Security numbers, and health-related information. Ransomware group SafePay has surfaced in relation to this incident, threatening to release large volumes of stolen data online.
The attack likely included tactics that align with the MITRE ATT&CK framework, including initial access and lateral movement techniques, which are characteristic of advanced persistent threat actors. As the situation develops, further revelations are expected both from Conduent and probing entities.
