Texas AG Declares Conduent Ransomware Breach Largest U.S. Data Breach Ever

Conduent Business Services processes benefits and human‑resources data for state Medicaid programs, employer health plans and federal agencies. Most of the 25 million‑plus recipients had never interacted with the company before receiving breach notification letters in early 2026. The letters offered a year of free credit monitoring and an apology.

- The intrusion began in October 2024 and continued through January 2025, during which ransomware operators exfiltrated personal and medical records. - Exposed data included full names, Social Security numbers, dates of birth, home addresses, diagnosis codes and health insurance claim numbers. - Texas Attorney General Ken Paxton announced in February 2026 that the breach surpasses all prior U.S. incidents in scale, labeling it the largest ever recorded. - Technical details of the initial intrusion have not been publicly disclosed; Conduent has not attributed the attack to a specific threat actor or named a exploited vulnerability. - No ransom payment has been confirmed, and the attackers have not released the stolen data on public leak sites as of the latest disclosures.

The scale of the breach places unprecedented pressure on affected individuals to monitor for identity theft and fraud. For organizations, it highlights the risk posed by third‑party processors that aggregate sensitive health and benefits data. Regulators may increase scrutiny of vendor management practices and breach notification timelines.

- Apply the latest security patches to internet‑facing services, prioritizing CVE‑2023‑28252 (Citrix ADC/Gateway) and CVE‑2022‑22965 (Spring4Shell) as examples of commonly exploited vectors in ransomware campaigns. - Enforce multifactor authentication on all privileged accounts and remote access solutions. - Segment networks to isolate systems that store personal health information from general corporate traffic. - Deploy endpoint detection and response (EDR) tools tuned to detect MITRE ATT&CK techniques T1059 (Command‑and‑Control Scripting), T1078 (Valid Accounts), and T1041 (Exfiltration Over Command‑and‑Control Channel). - Conduct regular tabletop exercises that include third‑party breach scenarios and verify that incident response playbooks cover timely notification to state attorneys general. - Review and tighten vendor contracts to require continuous security monitoring, immediate breach reporting, and annual third‑party audits.