Texas AG Calls Conduent Breach the Largest U.S. Data Leak in History

Context Conduent Business Services processes Medicaid benefits, employer health plans, and other government records. Between October 2024 and January 2025, attackers accessed the company’s network, extracted names, Social Security numbers, dates of birth, home addresses, medical diagnosis codes, and health‑insurance claim numbers. In February 2026, Texas Attorney General Ken Paxton publicly labeled the incident the nation’s biggest data breach.

Key Facts - The breach affected more than 25 million individuals, most of whom had never heard of Conduent before receiving a mailed notice. - Attackers used ransomware to encrypt files and demand payment, then exfiltrated data before the encryption step. Preliminary analysis points to a known ransomware family that leverages the EternalBlue exploit (CVE‑2017‑0144) to move laterally across Windows servers. - The stolen data includes personally identifiable information (PII) and protected health information (PHI), making victims vulnerable to identity theft and medical fraud. - The average identity‑theft victim spends over 200 hours and $1,343 to recover, according to the 2025 Identity Theft Resource Center report.

What It Means For security teams, the breach underscores the danger of legacy Windows systems that remain unpatched for critical vulnerabilities like CVE‑2017‑0144. The combination of ransomware encryption and data exfiltration follows a “double extortion” model now common among cybercriminal groups. Organizations handling health data must treat the incident as a case study for tightening network segmentation, enforcing least‑privilege access, and monitoring for abnormal data flows.

Mitigations - Deploy patches for CVE‑2017‑0144 and any other outstanding Windows updates immediately. - Implement network segmentation to isolate systems that store PII and PHI from general corporate networks. - Enable multi‑factor authentication (MFA) on all privileged accounts to block credential‑theft techniques. - Deploy endpoint detection and response (EDR) tools that can flag ransomware behaviors such as rapid file encryption and outbound data spikes. - Monitor logs for MITRE ATT&CK techniques T1078 (Valid Accounts) and T1486 (Data Encrypted for Impact). - Conduct regular phishing simulations, as ransomware operators often gain initial access through malicious email attachments.

What to Watch Next Watch for any indictments or civil actions that may reveal the ransomware group’s identity and for regulatory guidance that could tighten reporting requirements for health‑data processors.