Cyber Incident Victim: Conduent
Date:
Oct 2024
Location:
United States of America
Summary
A Texas investigation was launched into a massive data breach impacting millions of residents after unauthorized access compromised systems of a business services provider handling sensitive health data. The incident exposed protected health information, including Medicaid recipient records, affecting approximately 4 million individuals through vulnerabilities in third-party administrative systems. The state attorney general issued civil demands targeting both the provider and a major health insurer client to assess compliance with data protection laws, security protocols, and breach response adequacy. Exposed data included names, addresses, and medical details, raising concerns about identity theft, fraud, and privacy violations. The probe focuses on potential negligence in safeguarding confidential information and vendor oversight responsibilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between October 21, 2024, and January 13, 2025, an unauthorized third party infiltrated the systems of Conduent Business Services LLC, a global business process services company handling administrative functions for clients including health insurers. The breach exposed sensitive personal data of approximately 4 million Texans, encompassing names, addresses, and protected health information of Texas Medicaid recipients. Conduent discovered the intrusion during this period, though the exact detection date remains unspecified in public disclosures. The compromised data included medical records containing treatment details, conditions, and family histories—categories requiring stringent protection under federal and state laws. Texas Attorney General Ken Paxton announced an investigation on February 12, 2026, characterizing the incident as potentially the largest data breach in U.S. history due to its scale and sensitivity of exposed records. Civil Investigative Demands were issued to Conduent and Blue Cross Blue Shield of Texas (BCBSTX), a major Conduent client whose policyholders were affected, compelling both entities to produce documents related to security protocols, incident response, and regulatory compliance.
The investigation focuses on BCBSTX’s adherence to Texas laws governing confidential data protection and Conduent’s cybersecurity measures, internal communications, and legal compliance. Attorney General Paxton emphasized scrutiny of breach discovery timelines, vendor oversight practices, and notification procedures for affected individuals and regulators. Exposed individuals face risks of identity theft, financial fraud, medical discrimination, and privacy violations due to the highly sensitive nature of the health data. Legal experts indicate the probe could lead to civil penalties, corrective actions, or criminal referrals if evidence reveals negligence or violations. The breach highlights systemic vulnerabilities in healthcare data management, particularly third-party vendor risks, as BCBSTX remains accountable for monitoring Conduent’s safeguards under privacy laws. No containment measures or technical specifics about the attack vector were disclosed, though Paxton’s office described the intrusion as a sophisticated cyberattack. The incident’s aftermath centers on determining accountability across both organizations while affected Texans await potential restitution and strengthened data protection frameworks.