A data breach from more than a year ago may be far larger than initially disclosed. The giant government technology company Conduent suffered a major ransomware attack in January 2025 that knocked out services across multiple U.S. states for several days.
The HIPAA Journal reported that at least 10 million people were affected by the data breach with the company needing several months to determine how widespread the damage was. This was confirmed in a September 2025 SEC statement.
Another SEC filing revealed that the stolen information included personal information like Social Security numbers, patient records, and health insurance information. A hacker group calling itself SAFEEPAY Ransomware has claimed responsibility for the breach.
Conduent is a major government contractor that handles a massive amount of sensitive information for multiple U.S. states. Oregon, for example, has Conduent handle some EBT or Snap benefits for its residents. Conduent itself says that it supports "approximately 100 million US residents across various government health programs."
Most states have laws that require companies to send out data breach notification letters. These notices include information on the breach itself and usually contain a code to get free access to one of the best identity theft protection services for 12 to 24 months.
Notices for affected states have been sent out across Delaware, Indiana, Maine, Massachusetts, New Hampshire, Oregon and Vermont.
Strangely, Oregon's DOJ lists the breach as affecting nearly 10.5 million people across the state. That state only has a listed population of 4.9 million total. I have reached out to the Oregon attorney general's office for clarification though.
A Conduent spokesperson told TechCrunch that the company has been working to “conduct a detailed analysis of the affected files to identify the personal information." Reportedly, they would not confirm how many notifications it has sent out of if 100 million people were caught up in the breach.
The company has said it plans to finish sending notifications by "early 2026."
How to stay safe after a data breach
At some point, you are likely to receive a data breach notice from one or more companies you do business with or even ones you indirectly do. Fortunately, there are steps you can take to stay safe after a breach.
As mentioned above, usually companies that are hit by cyberattacks will provide at least a year of credit tracking and sometimes access to an identity theft protection service. Take advantage of those tools if they are offered.
If they don't, you'll want to invest in one of them on your own. Normally, you need to invest in identity theft protection before a breach even happens, but it doesn't hurt to sign up after.
As always, you'll want to be on high alert for phishing attacks and social engineering attacks, especially ones that urge you to "act now." Avoid clicking on any links, QR codes, or attachments from unknown senders.
Consider a password overhaul by coming up with strong, complex passwords for all of your accounts but you can also use one of the best password managers to do so for you instead.
Finally, just in case, make sure you close any old online accounts that aren't in use. The fewer accounts you have, the less likely you'll be hacked or have the sensitive data associated with those accounts exposed online.
This breach seems to be growing, and we'll update this article if any more information surfaces about the Conduent leak.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
- Panera data breach hits over 5 million customers — names, emails, phone numbers and physical addresses exposed
- 149 million logins and passwords exposed for Gmail, Facebook, Instagram and more — everything you need to know
- Nike currently 'investigating a potential cybersecurity incident' as 1.4TB of data allegedly stolen
