Conduent data breach exposed data of 10.5 million people, including Social Security numbers

Conduent, a business services company that provides healthcare billing, has begun sending notices to people affected by a massive data breach affecting 10.5 million people, making it one of the largest breaches of its kind. At least some of the affected individuals had their names and Social Security numbers exposed to an unknown third party, according to notification letters Conduent shared with state attorneys general.

Per The HIPAA Journal, the Conduent data breach would be the eighth-largest healthcare data breach ever recorded.

In a notice to Maine residents, Conduent states, "Presently, we have no evidence or indication of actual or attempted misuse of your personal information."

Conduent provides medical billing, Medicaid screening, toll collection, and a variety of other services to businesses and governments around the world, and thus has access to highly sensitive personal data.

Many states require entities to inform residents when their data has been exposed. In recent months, Conduent has begun sending notices to various state attorney general offices, as well as affected individuals, the company says.

The Oregon Department of Justice Consumer Protection Division reports that the breach affected 10,515,849 individuals. And in October, Conduent notified the New Hampshire Attorney General that "the personal information of the affected individuals included their name and Social Security number."

It is not clear if all 10.5 million impacted individuals had their Social Security numbers exposed, however. Mashable contacted Conduent for more information, and we'll update this story if we receive a response.

Conduent said that it became aware of the data breach on Jan. 13, 2025, and that an "unauthorized third party" had access to part of its system from Oct. 21, 2024 to Jan. 13, 2025.

"On January 13, 2025, we discovered that we were the victim of a cyber incident that impacted a limited portion of our network. We immediately secured our networks and initiated an investigation with the assistance of third-party forensic experts. Our investigation determined that an unauthorized third party had access to our environment from October 21, 2024, to January 13, 2025," reads the template of a notification letter sent to residents of Maine.

The letter also states that "Conduent has been working diligently with a dedicated review team, including internal and external experts, to conduct a detailed analysis of the affected files to identify the personal information contained therein."

Large-scale data breaches have affected many private and public organizations in recent years. Two data breaches at AT&T recently resulted in a $177 million class action settlement.

When cybercriminals gain access to private data, such as names, birth dates, and Social Security numbers, victims face a heightened risk of identity theft. If you believe your personal information has been exposed, you can take proactive steps to protect yourself from scammers and identity thieves.

Have a story to share about a scam or security breach that impacted you? Tell us about it. Email [email protected] with the subject line "Safety Net" or use this form. Someone from Mashable will get in touch.