An obscure contractor handles Medicaid and SNAP—then 25M records got hacked
Who is Conduent? If you asked that question this past week, you’re not alone. Hackers stole sensitive information on a sizable portion of U.S. residents from this major data processor, with the original estimate to be about 10.5 million back in October. But recent disclosures have shot the number of the affected to 25 million—which pushed Conduent back into the news.
The Texas Attorney General has called this debacle the largest data breach in U.S. history, but that claim is not true. (Examples of larger breaches include the 2017 Equifax breach, which affected about 148 million, and the 2024 Change Healthcare ransomware attack, which hit over 190 million people.)
What is true is the threat of identity theft and other fraud, given the types of data that flows through Conduent—and how this breach was handled.
What Conduent does
Conduent handles back-end data processing for a variety of clients, both in the private and public sectors. That list includes U.S. government programs targeting hunger, child care, and medical care. In a recent press release, the company describes its government services as:
Conduent’s Government Solutions business provides U.S. agencies with solutions and services for healthcare claims administration, government benefit payments, eligibility and enrollment, and child support. The company helps administer critical benefit programs such as Medicaid, the Children’s Health Insurance Program (CHIP), the Supplemental Nutrition Assistance Program (SNAP), and Temporary Assistance for Needy Families (TANF).
Clients also include major private groups like heath insurer Blue Cross, with services covering tasks like mailing and payment processing.
What hackers stole from Conduent
Attackers infiltrated Conduent and stole data from October 21, 2024 through January 13, 2025. Conduent began disclosures to state regulators as early as January 2025, but did not begin directly notifying those affected until October 2025.
In its state filings, Conduent reported that leaked data included:
- Full names
- Physical addresses
- Dates of birth
- Social Security numbers
- Health insurance details
- Medical information
Why this lost data is dangerous
Outside of the identity theft risks that come from your name, birthdate, address, and social security information floating around on the dark web, detailed information about your health insurance or medical information can make you a juicier target for personalized scams.
Additionally, with Conduent having delayed for a year issuing direct notifications to individuals, plus the risk not being known to the public, those affected may not immediately catch the signs of identity theft or scams. You might continue thinking you’re only at average risk.
Is my Conduent data breach notification real?
If you received a paper notice in the mail from Conduent, it’s likely real. You can verify and ask follow-up questions by calling (855) 291-2605 or send a letter to:
Attn: Data Incident
100 Campus Drive, Suite 200
Florham Park, New Jersey 07932
How else do I protect myself from the Conduent data breach?
Conduent is providing one year of credit monitoring to affected individuals, but in my opinion, that’s not enough to be protected.
Instead, I recommend the following steps—even if you’re not affected directly by the Conduent data breach. Realistically it’s only a matter of time before a different breach will hit you the same way.
- Freeze your credit reports
- Check your credit report
- Setup an IRS identity verification PIN
- Freeze your banking report
You can read more details on each of these tasks in our guide on what to do if hackers stole your social security number. Usually each one takes about 15 to 20 minutes, possibly longer if you first need to create an account.
Also helpful: Set up alerts for your financial accounts (banking, credit cards, etc). You’ll immediately know if fraudulent activity pops up. Some banks also offer credit alerts that let you know when your credit score changes or a new account appears on your file.