Conduent breach expands to 25.9 million Americans: SSNs and medical records stolen

The Conduent data breach just got significantly worse. What was initially reported as affecting 10 million people has now ballooned to 25.9 million Americans, making it one of the largest government contractor breaches in US history. If you have ever interacted with a government service in Texas or Oregon, you may be affected.

Here is what happened, who is at risk, and the steps you need to take right now.

What happened

In January 2025, the SafePay ransomware group launched an attack against Conduent Business Services, one of the largest government technology contractors in the United States. Conduent handles sensitive data processing for government agencies in all 50 states, serving programs like Medicaid, food assistance (SNAP), child support payments, and other social services for more than 100 million Americans.

The attack disrupted government services across multiple states for several days. According to Malwarebytes, the SafePay ransomware group claimed to have exfiltrated a staggering 8.5 terabytes of data from Conduent's systems and threatened to publish it if the ransom was not paid.

The full scope of the damage has only become clear a year later. In filings updated in early February 2026, Conduent revealed that 25.9 million individuals were affected, more than double the original estimate of roughly 10 million. The company said it expects to finish notifying all affected individuals by early 2026, nearly a full year after the attack occurred. In its May 2025 quarterly earnings report, Conduent disclosed $25 million in direct costs related to the breach response.

What data was exposed

The stolen data includes some of the most sensitive personal information that exists:

• Social Security numbers - Full SSNs for millions of individuals
• Medical records - Personal health information tied to government healthcare programs
• Health insurance data - Plan details, member IDs, and coverage information
• Full names and addresses - Physical addresses and contact details
• Government benefit records - Information about social services participation
• Financial information - Bank account details used for benefit payments

This is not a dataset of email addresses and passwords. This is the kind of data that enables medical identity theft, insurance fraud, tax fraud, and government benefit theft. Medical identity theft is particularly dangerous because it can result in incorrect information in your health records, potentially leading to wrong treatments or denied care.

Who is affected

Texas residents: 15.4 million people

Texas is the hardest-hit state, with approximately 15.4 million individuals affected. That is more than half of Texas's total population. If you are a Texas resident who has ever used a state-run social service, you should assume your data was compromised.

Oregon residents: 10.5 million people

Oregon accounts for the remaining 10.5 million affected individuals. Given that Oregon's total population is approximately 4.2 million, this number likely includes both current residents and former residents or individuals who accessed Oregon government services while living elsewhere.

Anyone who has used government services

Even if you do not live in Texas or Oregon, you may be affected if:

• You received Medicaid or CHIP benefits processed through Conduent
• You used SNAP or food assistance programs
• You received child support payments processed through Conduent systems
• You interacted with any government agency that contracts with Conduent for data processing
• You are a government employee whose records were processed by Conduent

Conduent provides technology services to government agencies across the country, and the full scope of affected states may still be expanding.

What to do right now

1. Freeze your credit at all three bureaus

With SSNs exposed, freezing your credit is the single most important step you can take. A credit freeze prevents criminals from opening new accounts in your name.

• Equifax: equifax.com/personal/credit-report-services/credit-freeze or 1-800-685-1111
• Experian: experian.com/freeze or 1-888-397-3742
• TransUnion: transunion.com/credit-freeze or 1-888-909-8872

2. Change your passwords for government and healthcare accounts

Immediately change passwords for:

• Government benefit portals (state benefits websites, healthcare.gov)
• Health insurance provider accounts
• Banking accounts linked to government payments
• Your primary email address
• Any account where you used the same password

Changing passwords across many accounts is tedious but critical. Dosel automates the process with a local AI agent that handles the clicking through each site's password change flow while keeping your credentials on your machine.

3. Enable multi-factor authentication

Add two-factor authentication to every account that supports it, especially:

• Government service portals
• Health insurance accounts
• Banking and financial accounts
• Email accounts

Use an authenticator app rather than SMS codes when possible.

4. Monitor for medical identity theft

Medical identity theft is harder to detect than financial identity theft. Take these steps:

• Request an Explanation of Benefits (EOB) from your health insurance provider and review it for services you did not receive
• Check your medical records with your primary care doctor for any unfamiliar entries
• Request a copy of your records from the Medical Information Bureau at mib.com
• Set up alerts with your health insurance provider for any new claims

5. Watch for government benefit fraud

If your government benefit information was exposed:

• Log into your state benefits portal and verify your account details
• Check that your direct deposit information has not been changed
• Report any suspicious activity to your state's fraud hotline
• File a report with the FTC at identitytheft.gov

Why government contractor breaches are especially dangerous

When a company like Target or LinkedIn gets breached, the stolen data is usually limited to what you gave that specific company: an email, a password, maybe a credit card number. You change your password, get a new card, and move on.

Government contractor breaches are different for three reasons.

The data is irreplaceable. You cannot change your Social Security number. You cannot change your medical history. You cannot change your date of birth. When this data is stolen, it creates a permanent vulnerability that no password change can fix.

The data is comprehensive. Government systems contain some of the most complete profiles of individuals that exist anywhere. SSN, full legal name, address, date of birth, income information, family member details, medical history, insurance data. It is everything an attacker needs for total identity takeover.

The victims are often the most vulnerable. People who rely on government services like Medicaid, SNAP, and child support are often in financially precarious situations. They are the least able to absorb the costs of identity theft and the least likely to have the resources to monitor and respond to fraudulent activity.

This is why attacks on government contractors like Conduent are especially insidious. The SafePay ransomware group did not just steal data from a corporation. They stole the most sensitive information about millions of people who depend on government assistance.

Protect yourself with automated password changes

You cannot change your SSN or medical history. But you can change every password that protects your accounts, making it harder for attackers to use your stolen personal data to break into your digital life.

The problem is that most people have dozens of accounts to update and the manual process takes hours. Research shows that after a breach, fewer than 30% of affected individuals actually change their passwords.

Dosel solves this by automating the entire process:

1. Import your accounts from any password manager or browser
2. Select which passwords to rotate (start with healthcare, government, and financial accounts)
3. The AI agent navigates each website's password change flow for you
4. Export your updated credentials back to your password manager

Everything happens locally on your Mac. Your credentials never leave your machine. Zero-knowledge architecture ensures that nobody, not even us, can see your passwords.

Download Dosel for free and start rotating your most critical passwords today. The free tier covers 5 password changes per month. For unlimited changes, our Pro plan is $2.99/month.

After a breach of this magnitude, the only question is whether you change your passwords before or after an attacker tries to use your stolen data. Do not wait.

Sources

• TechCrunch: Data breach at govtech giant Conduent balloons, affecting millions more Americans
• Tom's Guide: Massive government tech data breach expands to more than 25 million Americans
• Malwarebytes: Ransomware gang claims Conduent breach
• TechRadar: Conduent data breach might have been much worse than initially expected

Need help protecting your accounts after the Conduent breach? Download Dosel or contact us at hello@dosel.app.