The number finally stopped moving, and it landed at a historic mark. Conduent Business Services has reported to federal regulators that 62,224,658 people had their information compromised in the ransomware breach it discovered in January 2025. The figure, filed with the HHS Office for Civil Rights on June 4 and confirmed through subsequent reporting, makes Conduent the third-largest healthcare data breach ever recorded in the United States — behind only the 192.7 million-record Change Healthcare breach of 2024 and the 78.8 million-record Anthem breach of 2015.

That is roughly one in five Americans. Most of them have never heard of Conduent.

The Breach That Kept Growing

We have been tracking this incident since late 2025, and the victim count has been a moving target the entire time:

From 10.5 million to 62.2 million is nearly a 6x expansion over eight months of rolling disclosure. Every step along the way was technically accurate at the time it was filed, and every step understated the real scope. That is not a Conduent-specific pathology — it is how breach disclosure works when a data processor sits beneath dozens of clients, each of which must separately determine whose data was in the stolen set. But the effect on the public is the same: the true size of the incident arrives a year and a half after the intrusion, long after the news cycle has moved on.

What Happened, Revisited

The underlying facts have been stable since our first coverage. Attackers were inside Conduent’s network from October 21, 2024 to January 13, 2025 — nearly three months of undetected access. The SafePay ransomware group claimed responsibility, asserting it had stolen multiple terabytes of data; forensic reporting put the exfiltration at 8.5 TB.

Conduent is a back-office contractor — it processes documents, claims, printing, and mailing for healthcare payers, providers, and government agencies, including Medicaid programs and state benefits systems. The stolen data reflects that role: names, Social Security numbers, medical information, and health insurance details, varying by client whose files were in the exfiltrated set.

That vendor role is also why so few of the 62 million victims will recognize the company that lost their data. Conduent never treated them, never insured them, never sold them anything. It touched their data because a payer or a state agency outsourced paperwork. The people affected had no relationship with Conduent to terminate, no account to close, no consent to withdraw — and no realistic way to have assessed its security posture in advance.

The New Top Three

The updated U.S. healthcare breach leaderboard now reads:

RankOrganizationYearIndividuals
1Change Healthcare2024192.7 million
2Anthem201578.8 million
3Conduent Business Services2025–2662.2 million

Two of the three are not care providers at all — they are infrastructure and processing layers. Change Healthcare was a claims clearinghouse; Conduent is a document processor. The pattern is unambiguous: the largest concentrations of American health data do not sit in hospitals, they sit in the invisible middleware of the healthcare economy, where a single intrusion inherits the data of hundreds of downstream clients at once. It is the same third-party concentration risk we flagged in the Health-ISAC 2026 threat report analysis — and Conduent has now supplied the canonical case study.

Eighteen Months From Intrusion to Truth

The timeline deserves to be laid out plainly, because it is the real story:

  • October 2024 — Intrusion begins.
  • January 2025 — Intrusion detected; systems disrupted; incident disclosed in general terms.
  • November 2025 — First mass notifications; ~10.5 million.
  • February 2026 — Rolling state filings; 25 million and climbing.
  • June 4, 2026 — HHS OCR filing: 62,224,658.
  • July 2026 — Public reporting confirms the third-largest ranking.

Victims whose data left Conduent’s network in late 2024 are receiving definitive notice in mid-2026. Whatever identity-theft window that data enabled has been open the entire time. Credit monitoring offered eighteen months after exfiltration is not protection; it is paperwork.

What This Means

For individuals: if you have interacted with a state Medicaid program, government benefits system, or major health plan in the last several years, assume your data may be in this set. Freeze your credit with all three bureaus — it remains the single highest-value defensive action, and it is free.

For healthcare organizations: Conduent is the strongest argument yet that vendor risk assessments cannot stop at the vendors you contract with directly. Data flows to processors, and processors aggregate risk. Contractual breach-notification clauses measured in months, not days, are how a 62-million-person breach takes a year and a half to fully surface.

For regulators: the rolling-disclosure problem is structural. When a processor-level breach is disclosed at 10 million and finalizes at 62 million, every intermediate decision made by consumers, litigants, and even insurers was made on bad numbers. Processor-level breaches arguably warrant consolidated, deadline-bound reporting — because the current model let the third-largest healthcare breach in American history stay under-counted for over a year.

The Conduent saga is likely finished growing. The question it leaves behind is not about one contractor’s security — it is about how many other invisible middleware companies are holding a fifth of the country’s data right now, and what their October 2024 looks like.

Sources