Missouri Alleges Conduent is Stonewalling State on Hack

Healthcare , Industry Specific , Litigation Missouri Alleges Conduent is Stonewalling State on Hack State Insurance Officials Seeking Details About Service Firm's Mega Data Breach Marianne Kolbasuk McGee (HealthInfoSec) • May 8, 2026     Credit Eligible Get Permission Missouri is the latest state digging into the 2024 hack on business services firm Conduent, which affected at least 25 million individuals nationwide. (Image: Conduent) Missouri regulators are widening an investigation into a 2024 hacking incident at Conduent Business Services, alleging that the company is stonewalling the state's attempts to obtain information about the data breach, which is estimated to affect more than 25 million people nationwide. See Also: Cloud Security in Healthcare: Shifting from Reactive to Proactive Strategies Missouri's Department of Commerce and Insurance on Tuesday published a public request that insurers share with the state information "about any services utilized through Conduent Business Services or its affiliates" following the company's cybersecurity incident, which was first publicly disclosed in April 2025. "To date, Conduent has been unwilling to provide the department with the information needed to assess the impact of what is reportedly one of the largest cybersecurity breaches in U.S. history," the state said. "We are concerned and disappointed that Conduent has not provided sufficient information for regulators to fully assess the potential impact of this breach,” said Angela Nelson, DCI director in a statement. "Clear and timely communication is critical in these situations, and we are continuing to seek the details needed to evaluate any risk to Missouri insurance consumers." Missouri said investigators have been in direct contact with Conduent since March when the state first urged insurers have utilized Conduent to determine if their members have been affected by the cybersecurity breach, "and, if so, to ensure that their members have been notified by Conduent." Missouri this week warned consumers "to remain alert and take proactive steps to safeguard their personal information as the investigation continues." Conduent, a spinoff of Xerox, provides mailroom and document processing services - including receipt of insurance claim forms - payment integrity services, and other back-office support services to a variety of companies, including insurers. The company in a filing to Wisconsin regulators in February estimated the data breach affected "25 million-plus" individuals nationwide (see: Conduent Says Hack Now Affects at Least 25 Million Patients). Conduent in a statement to ISMG said the company "is committed to cooperating with the DCI to the extent it can do so without violating any laws, regulations, or contractual obligations." "The cybersecurity incident affected Conduent Business Services, which is not a licensee with DCI. Conduent agreed to provide notice on behalf of its clients; however, Conduent does not have visibility regarding which of its clients are licensees with DCI, and it has no authority to speak with DCI on behalf of any clients." Following contact with DCI, Conduent informed relevant clients that DCI has asked all licensees with affected Missouri residents to submit a report to DCI, the company said. "We also informed DCI that we support their bulletin plan to communicate directly with its licensees, and we will continue to respond to DCI’s requests as appropriate." A Widening Net of Investigations Missouri is among several states - including Montana and Texas - that have publicly launched investigations into the Conduent hack. In February, Texas Attorney General Ken Paxton said his office served Blue Cross Blue Shield and Conduent with an administrative subpoena for evidence of compliance with state law for the protection of confidential information. The office is also examining Conduent’s security measures, communications and compliance with Texas law, said Paxton, who labeled the incident as "the largest data breach in U.S. history," despite the Change Healthcare 2024 ransomware hack affecting a record-breaking 193 million people. Conduent in April 2025 first publicly disclosed the hack in a filing to the U.S. Securities and Exchange Commission, saying it discovered the incident on Jan. 13, 2025. The company's investigation found that hackers broke into Conduent servers from Oct. 21, 2024, to Jan. 13, 2025. Information compromised in the incident potentially includes individuals' names, addresses, dates of birth, Social Security numbers, health insurance details and medical information. Darkweb monitoring platform Ransomware.live found that ransomware gang SafePay listed Conduent on its dark web leak site in February 2025 as one of its victims, threatening to publish 8.5 terabytes of the company's stolen data. Conduent faces numerous proposed civil class action lawsuits involving the incident (see: Lawsuits, Investigations Piling Up in Conduent Hack). Steven Adler, a partner at consulting The Edmund Group and a former risk management executive at health insurer Humana, said that if Conduent is being perceived as being uncooperative with regulators, "it may most likely be their inability to answer key questions with confidence." That likely includes the total number of consumers impacted by the breach, complete lists of all the consumers impacted and the personal information identifiers exposed, and also whether any fourth party companies were affected by the breach, he said. "The healthcare ecosystem is highly complex across payers, providers and suppliers with multiple data sources retaining consumer information," Adler said. "As a result, consumers' protected information lives in a wide data distributed environment with significant variability associated with tractability and control." Conduent very likely also is under scrutiny by federal investigators, including the U.S. Department of Health and Human Services' Office of Civil Rights, Adler said. In addition, Conduent's inquiries from payers who have contractual health plan relationships across multiple states supporting Medicare and Medicaid consumers likely is an issue confronting the company, Adler said. "The Conduent breach presents sophisticated legal, strategic, business, public relations and political problems that will delight professors and bedevil law and business school students for years to come," regulatory attorney Paul Hales of Hales Law Group predicted.