Legal Actions After Conduent Hack Exposes Health Information

Following a disclosed hacking incident in October 2024, Conduent Business Solutions faces multiple proposed class action lawsuits, such as Reagan Smith on behalf of himself and all others similarly situated v. Conduent, Inc., alleging that the company failed to protect personal and health information.

Reports indicate that more than 10.5 million individuals may have been affected by unauthorized access to Conduent’s systems, according to an article in Bank Info Security by Marianne Kolbasuk McGee.

The lawsuits, filed in New Jersey federal court since late October 2025, allege negligence in safeguarding sensitive information. They all seek damages and injunctive relief, including improved data security measures and identity protection services for affected individuals.

Conduent, based in New Jersey, originated from a 2017 spinoff of Xerox. It provides back-office services to businesses and governments across 22 countries, generating $3.4 billion in revenue in 2024. The affected clients include major health insurers, such as Blue Cross Blue Shield of Montana and Texas, Humana, and Premera Blue Cross, as well as state agencies.

While some organizations, including Oklahoma’s Department of Human Services, report no impact on their systems, others confirmed that Conduent-managed files containing personal and health information were compromised.

The breach prompted regulatory scrutiny in Montana, which is investigating why notification to affected members was delayed for nearly ten months.

The cyber incident involved unauthorized access to a limited portion of Conduent’s network and potentially included sensitive identifiers such as Social Security numbers, medical details, and health insurance data. 

Ransomware gang SafePay claimed responsibility for the attack, and allegedly threatened to release 8.5 terabytes of stolen data. Conduent reported the incident to the SEC in April 2025 and has implemented measures to secure its systems, restore operations, and notify affected individuals, with ongoing forensic review of the compromised data.

The unfolding litigation and regulatory attention highlight exposure risks for service providers handling health information. Lawyers for these organizations must emphasize that prompt notification, thorough forensic analysis, and transparent communication with clients and affected individuals are crucial steps in mitigating the consequences of large-scale data breaches.