A ransomware attack on one of America's largest government technology contractors has exposed the personal data of more than 25 million people — and the number is still climbing.
Conduent, the company that processes Medicaid payments, child support disbursements, food assistance programmes, and transit systems for dozens of US states, was hit by the SafePay ransomware gang in January 2025. The attackers claimed to have stolen over 8 terabytes of data. That data includes names, Social Security numbers, medical records, and health insurance information.
This follows the recent Betterment breach that exposed 1.4 million investor records
The breach was initially reported as affecting around 4 million people in Texas. Then it grew to 10 million across multiple states. Now, over a year later, the confirmed number has ballooned past 25 million — and Conduent still hasn't finished sending notifications.
If you've ever interacted with a US government benefits programme, your data may be in the hands of criminals. And the phishing campaigns built on that data are going to be unlike anything most people have seen before.
What Happened?
Conduent is a business technology firm that says its services reach more than 100 million people across US government healthcare and social services programmes. It handles medical billing, toll transactions, prepaid benefit cards, and digital platforms for both government and corporate clients.
The breach began in October 2024 and was contained in January 2025, knocking out Conduent's operations for several days and disrupting government services across the United States. Despite the severity, Conduent didn't publicly disclose the attack until an SEC filing in April 2025 — months after the breach.
The SafePay ransomware gang claimed responsibility in February 2025, listing Conduent on its leak site.
Individual breach notifications didn't begin until October 2025, and Conduent has said it expects to complete all notifications by April 15, 2026. That means some victims won't learn their data was stolen until nearly 18 months after the attack.
How Big Is This?
The scale is staggering, and it keeps growing:
- Texas: 15.4 million people affected — about half the state's population, up from an initial estimate of 4 million
- Oregon: 10.5 million people affected per the state's attorney general (notably higher than Oregon's 4.9 million population — likely includes non-residents whose data was processed through Oregon systems)
- Delaware, Massachusetts, New Hampshire: Hundreds of thousands notified
- California, Indiana, Maine, Vermont: Additional notifications sent
The total confirmed count now exceeds 25.9 million. Given that Conduent's systems touch over 100 million Americans and notifications are still ongoing, the final number could be significantly higher.
What Was Stolen?
According to breach notifications reviewed by TechCrunch and Conduent's own SEC filings, the stolen data includes:
- Names and personal details (all affected individuals)
- Social Security numbers (the most dangerous element)
- Medical data and health records
- Health insurance information
Conduent confirmed in its September 2025 SEC filing that the stolen datasets "contained a significant number of individuals' personal information associated with our clients' end-users."
This isn't just email addresses and passwords. This is the foundational data of identity — the kind that doesn't change, can't be reset, and enables fraud for years to come.
Why This Breach Is Exceptionally Dangerous
Most data breaches expose credentials or contact information. The Conduent breach is different because of what was stolen and who it belongs to.
Social Security numbers are permanent. Unlike a password or even a credit card number, you can't change your SSN. Once it's stolen, it's a lifelong vulnerability. Every tax filing, credit application, and identity verification you do for the rest of your life is now at elevated risk.
Medical records add devastating context. Attackers don't just know your name — they know your health conditions, your insurance provider, and potentially your prescriptions. This turns generic phishing into deeply personal manipulation.
Government benefits data reveals vulnerability. The people in this breach aren't random consumers. Many are Medicaid recipients, families receiving child support, people on food assistance, and public transit users. Attackers know these individuals interact with government systems regularly — which makes government impersonation emails far more convincing.
The combination is what makes it lethal. Name + SSN + medical records + knowledge of specific government programmes = phishing emails that feel indistinguishable from legitimate government communications.
What the Phishing Emails Will Look Like
Based on the specific data stolen and the government services Conduent handles, here are the scam patterns that will follow this breach:
Fake Credit Monitoring Offers
Subject lines:
- "Conduent data breach: Activate your free credit monitoring now"
- "Urgent: Your Social Security number may be compromised — enrol today"
- "TransUnion identity protection: You're eligible for 24 months free"
What they'll do: This is the number one scam after any breach involving Social Security numbers. Attackers know victims will be expecting credit monitoring offers (because that's what companies always provide after breaches). The emails will link to convincing fake enrolment pages designed to harvest even more personal data — bank details, additional identification, or login credentials for real credit monitoring services.
How to spot them: Conduent has said it will send notifications by April 15, 2026. Any legitimate credit monitoring offer will come through official postal mail or directly from Conduent's notification process. Don't click email links — go directly to Conduent's website if you want to check your status.
Fake Government Benefits Notifications
Subject lines:
- "Action required: Your Medicaid eligibility needs re-verification"
- "SNAP benefits update: Confirm your identity to avoid interruption"
- "Child support payment: Verify your details to continue receiving funds"
- "Important notice about your EBT card"
What they'll do: Because Conduent processes payments for Medicaid, food assistance (SNAP), and child support across multiple states, attackers know exactly which government programmes their victims use. They'll send fake notifications threatening to cut off benefits unless the recipient "verifies" their identity — providing a link to a phishing page that captures whatever data the attackers don't already have.
Why they're so dangerous: If you actually receive Medicaid or child support, an email about your benefits feels immediately urgent and credible. The attackers are counting on that urgency to override caution.
IRS and Tax Fraud Scams
Subject lines:
- "IRS notice: Suspicious activity on your tax account"
- "Your tax refund has been flagged for review — action required"
- "Important: Updated W-2 information needed"
What they'll do: With Social Security numbers in hand, attackers can file fraudulent tax returns, claim false refunds, or send convincing IRS impersonation emails. SSNs are the key that unlocks tax fraud, and with 25 million of them now circulating, expect a wave of tax-related scams — particularly during the January to April filing season.
What to watch for: The IRS does not initiate contact by email. Full stop. Any email claiming to be from the IRS is a scam. If you're concerned about tax fraud, file your return early and consider requesting an IRS Identity Protection PIN.
Medical Billing and Insurance Fraud
Subject lines:
- "Outstanding balance on your recent medical visit"
- "Your health insurance claim requires additional information"
- "Important update to your prescription coverage"
What they'll do: The stolen medical records give attackers specific knowledge about victims' healthcare interactions. They can reference real insurance providers, plausible medical procedures, or prescription medications to craft billing scams that feel entirely authentic. The goal is to get victims to provide payment information for fake "outstanding balances" or to harvest additional insurance details.
The long game: Medical identity fraud is particularly insidious because it can go undetected for months or years. Someone using your health insurance details to receive treatment can corrupt your medical records, affect your future coverage, and create billing nightmares that take years to resolve.
State Government Impersonation
Subject lines:
- "Texas Health and Human Services: Update your contact information"
- "Oregon Department of Human Services: Benefits review notification"
- "Important notice from [State] Department of Social Services"
What they'll do: Because different states use Conduent for different programmes, attackers can tailor their phishing by state. A Texas resident might receive a fake HHS notification; an Oregon resident might get a fake DHS communication. The specificity makes these vastly more convincing than generic government scams.
Sender Patterns to Watch For
Government impersonation emails will likely come from addresses like:
[email protected](fake — note the.gov.com)[email protected][email protected][email protected]
Legitimate government emails come from .gov domains. Legitimate Conduent communications come from @conduent.com. Anything else warrants immediate suspicion.
What To Do Right Now
If you've ever used Medicaid, SNAP, child support, or other government benefits in any US state — or if you've interacted with any system that Conduent processes — take these steps:
1. Assume you're affected With 25 million confirmed and counting, and Conduent's systems touching 100 million Americans, the odds are not in your favour. Don't wait for a notification letter to act.
2. Freeze your credit This is the single most effective action you can take. Contact all three credit bureaus — Equifax, Experian, and TransUnion — and place a security freeze. It's free and prevents anyone from opening new credit accounts in your name.
3. Request an IRS Identity Protection PIN Go to irs.gov/ippin and request a PIN. This prevents anyone from filing a fraudulent tax return using your Social Security number.
4. Monitor your medical records Request an explanation of benefits from your health insurance provider and review it for any treatments or services you didn't receive. Report discrepancies immediately.
5. Treat every government-related email with suspicion For the foreseeable future, do not click links in any email claiming to be from a government agency, Conduent, or a credit monitoring service. If something seems legitimate, go directly to the official website by typing the address yourself.
6. Don't trust "breach compensation" offers There is no compensation programme for the Conduent breach. Any email offering money, gift cards, or settlements is a scam.
7. Watch your benefits If you receive government benefits processed by Conduent, monitor your payments and account activity closely. Report any irregularities to your state benefits office directly.
The Bigger Picture
The Conduent breach highlights a systemic problem: government contractors hold vast quantities of the most sensitive personal data imaginable, yet they're not held to the same security standards as the government agencies they serve.
Conduent's systems process data for Medicaid, child support, food assistance, and transit across dozens of states. When a company like this is breached, the impact isn't limited to one service or one state — it cascades across every programme and every person they've ever processed data for.
The breach began in October 2024. It wasn't disclosed until April 2025. Notifications didn't start until October 2025. And they won't be complete until April 2026. That's an 18-month window where millions of people had no idea their most sensitive data was in criminal hands.
During that window, the phishing emails have already started. And they'll continue for years — because Social Security numbers don't expire, medical records don't become less useful, and government benefits recipients will continue to be prime targets for impersonation scams.
