Conduent Healthcare Data Breach Exposes 10.5 Million Patient Records in Massive 2025 Cyber Incident

 

In what may become the largest healthcare breach of 2025, Conduent Business Solutions LLC disclosed a cyberattack that compromised the data of over 10.5 million patients. The breach, first discovered in January, affected major clients including Blue Cross Blue Shield of Montana and Humana, among others. Although the incident has not yet appeared on the U.S. Department of Health and Human Services’ HIPAA breach reporting website, Conduent confirmed the scale of the exposure in filings with federal regulators. 

The company reported to the U.S. Securities and Exchange Commission in April that a “threat actor” gained unauthorized access to a portion of its network on January 13. The breach caused operational disruptions for several days, though systems were reportedly restored quickly. Conduent said the attack led to data exfiltration involving files connected to a limited number of its clients. Upon further forensic analysis, cybersecurity experts confirmed that these files contained sensitive personal and health information of millions of individuals. 

Affected data included patient names, treatment details, insurance information, and billing records. The company’s notification letters sent to Humana and Blue Cross customers revealed that the breach stemmed from Conduent’s third-party mailroom and printing services unit. Despite the massive scale, Conduent maintains that there is no evidence the stolen data has appeared on the dark web. 

Montana regulators recently launched an investigation into the breach, questioning why Blue Cross Blue Shield of Montana took nearly ten months to notify affected individuals. Conduent, which provides business and government support services across 22 countries, reported approximately $25 million in direct response costs related to the incident during the second quarter of 2024. The company also confirmed that it holds cyber insurance coverage and has notified federal law enforcement. 

The Conduent breach underscores the growing risk of third-party vendor incidents in the healthcare sector. Experts note that even ancillary service providers like mailroom or billing vendors handle vast amounts of protected health information, making them prime targets for cybercriminals. Regulatory attorney Rachel Rose emphasized that all forms of protected health information (PHI)—digital or paper—fall under HIPAA’s privacy and security rules, requiring strict administrative and technical safeguards. 

Security consultant Wendell Bobst noted that healthcare organizations must improve vendor risk management programs by implementing continuous monitoring and stronger contractual protections. He recommended requiring certifications like HITRUST or FedRAMP for high-risk vendors and enforcing audit rights and breach response obligations. 

The incident follows last year’s record-breaking Change Healthcare ransomware attack, which exposed data from 193 million patients. While smaller in comparison, Conduent’s 10.5 million affected individuals highlight how interconnected the healthcare ecosystem has become—and how each vendor link in that chain poses a potential cybersecurity risk. As experts warn, healthcare organizations must tighten vendor oversight, ensure data minimization practices, and develop robust incident response playbooks to prevent the next large-scale PHI breach.