Data Breach TodayArchived Jun 05, 2026✓ Full text saved
Back-Office Servicer's Breach Estimate Has More Than Doubled Since February The victim tally in back-office services firm Conduent Business Services' 2024 hack has more than doubled to over 62.2 million individuals, from an earlier estimate of "25 million plus." The incident is now on track to be at least the third-largest health data breach ever reported to regulators.
Full text archived locally
✦ AI Summary· Claude Sonnet
Data Breach Notification , Data Security , Fraud Management & Cybercrime
Conduent Hack Victim Count Now Tops 62.2 Million
Back-Office Servicer's Breach Estimate Has More Than Doubled Since February
Marianne Kolbasuk McGee (HealthInfoSec) • June 5, 2026
Credit Eligible
Get Permission
Back office support services vendor Conduent has told federal regulators its 2024 hack has now affected more than 62.2 million, more than double the company's previous estimates. (Image: Conduent)
The victim tally in back-office support services firm Conduent Business Services' 2024 hack has more than doubled to over 62.2 million people.
See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense
The revised, eye-popping total Conduent reported to federal regulators apparently in recent days brings the breach closer to tying the nearly 79 million people affected by a 2015 hack on health insurer Anthem Inc., which for nearly a decade held the infamous distinction as the largest health data breach ever.
That Anthem data breach record was broken by the 2024 BlackCat/AlphV ransomware attack on UnitedHealth Group's IT services firm Change Healthcare, which affected a whopping 193 million people (see: Change Healthcare Now Counts 190 Million Data Breach Victims).
The latest update has Conduent's hack on track to be at least the third-largest health data breach ever reported to U.S. federal regulators.
New Jersey-based Conduent did not immediately respond to ISMG's request for comment on why the victim count in its hacking incident ballooned so significantly from an estimate the company provided to Wisconsin regulators in January of "25 million plus" affected people.
But in a statement to ISMG, the company did imply that the current total was not expected to change again.*
"Our process of providing notification on behalf of our clients has been effectively completed, and we do not anticipate substantial additional notifications," the statement said.
"Importantly, so far there is no evidence that any of the data involved has been misused, posted, or made publicly available. We continue to monitor closely and remain committed to supporting our clients and the individuals they serve."
Conduent, a 2017 spin-off company of Xerox, in April 2025 first publicly disclosed the hack in a filing to the U.S. Securities and Exchange Commission.
Since that first public disclosure, the company has filed various updated data breach reports to state regulators, in which the victim counts have periodically fluctuated. That included a recently updated report filed to Texas regulators in which the number of affected Texans was reduced to about 12.8 million, down from an estimate of 15.5 million in February.
The vendor said it discovered the incident on Jan. 13, 2025. The company's investigation found that hackers broke into Conduent servers from Oct. 21, 2024, to Jan. 13, 2025.
Information compromised in the incident potentially includes individuals' names, addresses, dates of birth, Social Security numbers, health insurance details and medical information.
Darkweb monitoring platform Ransomware.live found that ransomware gang SafePay listed Conduent on its leak site in February 2025 as one of its victims, threatening to publish 8.5 terabytes of the company's stolen data.
Conduent provides a wide range of back-office services to businesses and governments in 22 countries and reported $3 billion in revenue in 2025.
Conduent faces numerous civil class action lawsuits involving the incident, as well as investigations by multiple states - including Missouri, Montana and Texas, as well as by federal regulators (see: Lawsuits, Investigations Piling Up in Conduent Hack).
Experts say that process of obtaining an accurate final count for the number of people affected in a large vendor data breach that impacts many of the company's clients is often a difficult task.
Among other factors, the same person might initially inadvertently be counted more than once depending on the extent of information compromised and the number of clients affected. The level of sophistication of attackers and the complexity in the targeted IT environment can also make the determination of the breach's size and its extent more challenging.
"The healthcare ecosystem is highly complex across payers, providers and suppliers with multiple data sources retaining consumer information," said Steven Adler, partner at consulting firm The Edmund Group and a former third-party risk management executive at health insurer Humana.
"As a result, consumers' protected information lives in a wide data distributed environment with significant variability associated with tractability and control," Adler said.
*Update: June 5, 2026 UTC 20:05: Conduent's statement to ISMG added.