BA Breach & Fines Examples

Healthcare Technology Company Discloses Ransomware Attack

Cyberattacks and data breaches have recently been announced by the healthcare technology company Insightin Health and the Colorado-based medical billing and practice management company, Clinic Service Corporation.

Insightin Health, Maryland

Insightin Health, a Baltimore, MD-based healthcare technology company that offers an AI-driven digital health platform to health insurers and payers, has experienced a cyberattack involving unauthorized access to patient data. Suspicious network activity was identified in September 2025, and the forensic investigation confirmed unauthorized access to its network between September 17, 2025, and September 23, 2025.

The data review revealed the exposed files included protected health information associated with its clients, such as names, dates of birth, contract numbers, health insurance providers’ non-unique identifiers, Medicare Beneficiary Identifiers, and information associated with attributed providers. The substitute data breach notice includes steps that the affected individuals can take to protect themselves against misuse of their information. While not stated in the substitute breach notice, the affected individuals should be aware that the Medusa ransomware group claimed responsibility for the attack and threatened to publish the stolen data. The group claims to have exfiltrated 378 GB of data from the Insightin Health network.

Clinic Service Corporation, Colorado

Clinic Service Corporation, a medical billing and practice management company based in Denver, Colorado, has experienced a hacking incident that exposed sensitive data. The intrusion was identified on August 17, 2025, and the forensic investigation confirmed that its network was accessed by an unauthorized third party from August 10, 2025, to August 17, 2025.

The data review has confirmed that personally identifiable information (PII) and protected health information (PHI) was compromised in the incident, including names, addresses, phone numbers, email addresses, dates of birth, diagnoses, treatment information, patient ID numbers, dates of service, medical record numbers, Medicare/Medicaid numbers, health insurance information, claims information, and treatment cost information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services. Regulators have been notified, although the incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Healthcare Technology Company Discloses Ransomware Attack appeared first on The HIPAA Journal.

Gryphon Healthcare Agrees to Pay $2.87M to Settle Class Action Data Breach Lawsuit

Gryphon Healthcare, a Houston, TX-based revenue cycle, coding, compliance, consultancy, and management services vendor, faced multiple class action lawsuits over a July 2024 cyberattack involving a partner for which it provides billing services. Gryphon Healthcare learned about the incident in August 2024, and its investigation found that files may have been viewed or obtained. Those files contained the protected health information of 393,358 patients, including names, dates of birth, addresses, Social Security numbers, dates of service, diagnoses, medical treatment information, prescriptions, medical record numbers, and health insurance information.

On or around October 11, 2024, Gryphon Healthcare started sending notification letters to the affected individuals, and shortly thereafter, the first class action lawsuit was filed. A further eight lawsuits were subsequently filed, which were consolidated into a single complaint – Morris et al., v. Gryphon Healthcare, LLC – in the District Court for Harris County, Texas. The lawsuit asserted claims of negligence/negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, invasion of privacy, unjust enrichment, bailment, a failure to provide adequate notice pursuant to any breach notification statute or common law duty, and violations of state consumer protection laws.

While Gryphon Healthcare denies wrongdoing, fault, and liability for the cyberattack and data breach, after considering the cost and distraction of continuing the litigation and the uncertainty of trial, the decision was taken to settle. Under the terms of the settlement, Gryphon Healthcare will establish a $2,800,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards for the nine named plaintiffs. After those costs have been deducted, the remainder of the fund will be used to pay benefits to the class members.

Class members may choose one of two cash payments. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. Alternatively, they may choose to receive a cash payment, which is estimated to be $100, but may increase or decrease depending on the number of valid claims received. All class members who submit a valid claim are entitled to a two-year membership to an identity theft protection and medical data monitoring service, which includes a $1 million identity theft insurance policy. The deadline for objecting to the settlement and opting out is March 17, 2026. Claims must be submitted by April 16, 2026, and the final fairness hearing has been scheduled for August 31, 2026.

Nov 4, 2024: Gryphon Healthcare Facing Multiple Lawsuits Over 400,000-Record Data Breach

Gryphon Healthcare, a Houston, TX-based provider of revenue cycle management and medical billing services to healthcare providers, is facing multiple class action lawsuits over an August 2024 data breach that involved unauthorized access to the protected health information of almost 400,000 individuals. The compromised information included names, contact information, Social Security numbers, diagnosis and treatment information, health insurance information, and medical record numbers. The intrusion occurred via an unnamed IT service provider.

At least seven lawsuits have now been filed by individuals who were recently notified about the exposure of their protected health information. The plaintiffs allege that Gryphon Healthcare failed to implement reasonable and appropriate cybersecurity measures to protect the sensitive information it stored and also failed to monitor its network for unauthorized activity. The lawsuits assert that if appropriate defenses had been implemented and if industry standards had been adhered to, the data breach could have been prevented. Proper monitoring would have allowed the intrusion to be detected much more promptly.

The lawsuits make similar claims, including a violation of duties under common law, contract law, the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Trade Commission (FTC) Act. The plaintiffs allege that the theft of their personal and protected health information has resulted in them suffering and continuing to suffer injuries, including financial harm due to the misuse of their information, lost time due to the detection and prevention of identity theft and fraud, and the loss or diminished value of their private information.

The plaintiffs make claims of negligence, negligence per se, invasion of privacy, breach of confidence, breach of fiduciary duty, breach of implied contract, breach of third-party beneficiary contract, and unjust enrichment. The lawsuits were filed in Texas federal court and seek class action certification for a nationwide class of individuals affected by the data breach, a jury trial, actual, compensatory, statutory, and punitive damages, and injunctive relief, including an order from the court requiring Gryphon Healthcare to implement a host of security measures to safeguard the personal and protected health information stored by the company.

The post Gryphon Healthcare Agrees to Pay $2.87M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit

The healthcare technology company Veradigm Inc. (formerly Allscripts) has agreed to settle a class action lawsuit that was filed in response to a 2024 data breach that compromised sensitive patient data. The Illinois-based company provides software tools to healthcare organizations, including electronic medical record software and practice management tools. In December 2024, cybercriminals accessed its network and potentially obtained patient data belonging to its healthcare clients. More than 2 million patients were affected. Data compromised in the incident included names, contact information, dates of birth, health record information, insurance claim data, payment information, and other identifiers, such as Social Security numbers and copies of their driver’s licenses.

The first class action lawsuit in response to the data breach was filed in June 2025 by plaintiffs Tony Goodrum and Jason Mixton, individually and on behalf of similarly situated individuals. A second class action lawsuit was subsequently filed, and the two actions were consolidated into a single action in the U.S. District Court for the Northern District of Illinois, since they had overlapping claims.

The consolidated lawsuit – Goodrum, et al. v. Veradigm Inc.– alleged that the data breach was the result of negligence, and could have been prevented had reasonable and appropriate cybersecurity measures been implemented. In addition to negligence, the lawsuit asserted claims for negligence per se, breach of implied contract, unjust enrichment, declaratory judgment, and injunctive relief.

Veradigm denies all claims of wrongdoing and liability; however, shortly after the two lawsuits were filed, the company explored the prospect of early resolution. Following mediation after the consolidated lawsuit was filed, an agreement in principle was reached to settle the litigation, with no admission of liability or wrongdoing. Class counsel and the class representatives believe the negotiated settlement is fair and in the best interests of the class members.

Under the terms of the settlement agreement, Veradigm has agreed to establish a $10,500,000 settlement fund to cover claims for benefits for the class members, settlement administration costs, and attorneys’ fees and costs, as approved by the court. Class members are entitled to submit a claim for up to $5,000 as reimbursement of documented, unreimbursed losses due to the data breach or, alternatively, may claim a cash payment, which is expected to be $50, but will be adjusted based on the number of valid claims received. Regardless of the option chosen, class members are also entitled to claim a two-year membership to a medical data monitoring product. Further information on what may be claimed can be found on the settlement website: https://veradigmdatasettlement.com/

The deadline for objection and opting out of the settlement is February 17, 2026. Claims must be submitted by March 3, 2026, and the final fairness hearing has been scheduled for March 18, 2026.

The post Veradigm to Pay $10.5M to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Tens of Thousands of Patients Affected by Two Business Associate Data Breaches

Mid Michigan Medical Billing Service, a Flint, MI-based revenue cycle management company that provides billing support services to HIPAA-covered entities, has fallen victim to a cyberattack that exposed the sensitive data of patients of its healthcare clients.

Suspicious network activity was identified on March 27, 2025, and the forensic investigation confirmed that an unauthorized third party accessed and copied data from its network. The affected data was reviewed to determine the types of information involved and the affected individuals. Mid Michigan Medical Billing Service then notified the affected covered entity clients and worked with them to provide notice to the affected individuals.

The file review confirmed that the protected health information of 28,185 individuals had been exposed in the cyberattack. The compromised data varied from individual to individual and may have included names in combination with one or more of the following: date of birth, driver’s license/ government issued identification number, Medicare/Medicaid identification number, diagnosis/treatment information, medical record number/patient account number, health insurance information, payment card number, employer identification number, passport number, treating/referring provider name, and biometric data. For a limited number of individuals, Social Security numbers were involved.

VillageCareMAX, New York

VillageCareMAX, a New York, NY-based provider of health plans and community healthcare services to seniors and individuals with chronic diseases, has announced a data breach involving one of its business associates, TMG Health.

VillageCareMAX uses the Cognizant-owned TMG Health to assist with the administration of its members’ health plans. TMG Health identified unauthorized activity within its information system on September 19, 2025. The unauthorized access was immediately terminated, and an investigation was launched to determine the nature and scope of the unauthorized activity. TMG Health determined that an unauthorized third party had access to its network for 10 months from November 20, 2024, to September 19, 2025. During that time, VillageCareMAX members’ protected health information may have been accessed and acquired.

The affected data included names, member identification numbers, health information, and Social Security numbers. While no misuse of that data has been identified, the affected individuals have been offered complimentary credit monitoring and identity theft recovery services. VillageCareMAX has received assurances that TMG Health has implemented technological and procedural enhancements to prevent similar incidents in the future.

VillageCareMAX provides services to more than 35,000 individuals each year. It is currently unclear how many of those individuals have been affected.

The post Tens of Thousands of Patients Affected by Two Business Associate Data Breaches appeared first on The HIPAA Journal.

Patient Data Compromised in Cyberattacks on Sleep Specialists

Two sleep specialists, Persante Health Care in New Jersey and SomnoSleep Consultants in Virginia, have recently disclosed security incidents that exposed patient information.

Persante Health Care Patients Informed About January 2025 Cyberattack

Persante Health Care, a Mount Laurel Township, NJ-based national provider of sleep and balance center management services to hospitals and physician practices, has announced a security incident that was detected on or around January 28, 2025.

Unusual activity was identified within its computer network and, assisted by third-party cybersecurity experts, it was determined that an unauthorized third party accessed its network between January 23 and January 28, 2025. During that time, files containing patient information may have been accessed or acquired. It took more than 8 months to review the affected files to determine whether patient data had been exposed. On October 3, 2025, the data review confirmed that personal and protected health information was involved.

The exposed data varied from individual to individual and may have included names in combination with one or more of the following: date of birth, Social Security number, driver’s license number, state identification number, passport number, government identification number, taxpayer identification number, date(s) of service, physician or facility name, patient account number, medical record number, financial account information, payment card number, medical device identifier(s), and/or biometric identifier(s).

The Federal Bureau of Investigation was informed about the cyberattack, and Persante Health Care is assisting with the investigation. Additional measures have been implemented to reduce the risk of similar incidents in the future, and the affected individuals were notified by mail on November 26, 2025. The number of affected individuals has yet to be publicly disclosed.

SomnoSleep Consultants’ Patients Affected by Business Associate Data Breach

Patients of Annadale, VA-based SomnoSleep Consultants have been notified about a security incident at a third-party billing vendor, Avosina Healthcare Solutions. The vendor detected unauthorized access to its network on July 29, 2025, in what appears to have been a ransomware attack. Avosina said it was able to restore its services from backups; therefore, no ransom was paid. The FBI was notified, and third-party cybersecurity experts were engaged to determine the nature and scope of the incident and implement additional security measures to protect against further attacks.

The investigation confirmed that some documents were exfiltrated from its network. The analysis of those files confirmed that they contained patients’ names, addresses, medical information, and health insurance information. SomnoSleep said there was no unauthorized access to any files part of its electronic medical record system.

Avosina notified SomnoSleep about the attack on September 29, 2025, and on November 17, 2025, SomnoSleep provided additional information on the affected patients and delegated the responsibility for sending notification letters to its business associate. SomnoSleep said that no evidence has been found to indicate that any of the impacted patient data has been misused.

Avosina confirmed to SomnoSleep that steps have been taken to correct the vulnerability that was exploited by the threat actor, and other security measures have been implemented to protect against any further unauthorized network access. Internal data management protocols have also been reviewed.

The post Patient Data Compromised in Cyberattacks on Sleep Specialists appeared first on The HIPAA Journal.

Geisinger Health & Nuance Communications Data Breach Litigation Settled for $5 Million

The Danville, Pennsylvania-based healthcare provider Geisinger Health and its former IT vendor Nuance Communications, Inc., have agreed to a $5 million settlement to resolve class action litigation over a 2023 insider data breach involving a former Nuance Communications employee.

On or around November 29, 2023, Geisinger Health learned that a former Nuance Communications employee, Andre J. Burk (also known as Max Vance), accessed the sensitive data of Geisinger Health patients two days after he was terminated by Nuance Communications. The data had been provided to Nuance Communications in connection with the services the IT company was contracted to provide. The breach was detected by Geisinger Health, rather than Nuance Communications, and it alerted its IT vendor about the breach.

Under HIPAA, business associates of HIPAA-regulated entities must comply with the HIPAA Security Rule, one of the requirements of which is to ensure that access rights are immediately revoked when employees are terminated. When notified about the unauthorized access, Nuance Communications terminated the former employee’s access rights and launched an investigation, which revealed that the former employee had potentially obtained the protected health information of more than 1.2 million Geisinger Health patients, including names, dates of birth, Social Security numbers, medical information, and health insurance information.

The affected individuals started to be notified about the data breach on June 24, 2024. The delay in notification was at the request of law enforcement. The HHS’ Office for Civil Rights was informed that the protected health information of 1,276,026 individuals was involved. Max Vance is now facing criminal charges over the data theft – one count of obtaining information from a protected computer – and his trial is scheduled for early January 2026.

Several lawsuits were filed against Geisinger Health and Nuance Communications, Inc. in response to the data breach, which were consolidated into a single action in July 2024 – In re: Geisinger Health Data Security Incident Litigation – in the U.S. District Court for the Middle District of Pennsylvania. The consolidated lawsuit alleged that the defendants failed to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard the plaintiffs’ and class members’ personal and protected health information.

The lawsuit alleged that Geisinger Health failed to ensure that its vendors employed reasonable security measures, that Nuance Communications failed to properly monitor systems for intrusions, there was insufficient network segmentation, and a failure to comply with FTC guidelines, the HIPAA Rules, and the defendants did not adhere to industry standard cybersecurity measures. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and declaratory judgment and injunctive relief against both defendants, and breach of fiduciary duty against defendant Geisinger Health.

The defendants disagree with the claims in the lawsuit; however, they chose to settle with no admission of wrongdoing to avoid the expense and uncertainty of a trial and related appeals. The settlement received preliminary approval from District Court Judge Matthew W. Brann on November 18, 2025. Under the terms of the settlement, the defendants will establish a $5,000,000 settlement fund, from which attorneys’ fees and expenses, service awards, and settlement administration costs will be deducted. The remainder of the funds will be used to pay benefits to the class members.

The class consists of 1,308,363 class members who may choose to receive a one-year membership to a credit monitoring and identity theft protection service. In addition, a claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to $5,000 per class member. Alternatively, instead of a claim for reimbursement of losses, class members may choose to receive a pro rata cash payment. The final approval hearing has been scheduled for March 16, 2026, and claims must be submitted by March 18, 2026.

June 24, 2024: Geisinger: Former Business Associate Employee Unlawfully Accessed PHI of More Than 1.2 Million Patients

More than one million Geisinger patients are being notified that their protected health information has been unlawfully accessed by a former employee of one of its business associates, Nuance Communications.

Nuance Communications provides information technology services to Geisinger, which requires access to systems containing patient information. On November 29, 2023, Geisinger detected unauthorized access to patient data by a former Nuance employee and immediately notified Nuance about the incident. Nuance immediately terminated the former employee’s access and launched an investigation, which confirmed that the former employee accessed patient data two days after they were terminated.

The former employee may have viewed and acquired the data of more than one million Geisinger patients. The data varied from patient to patient and may have included names, addresses, phone numbers, dates of birth, admission/discharge/transfer codes, medical record numbers, facility name abbreviations, and race and gender information. Nuance has confirmed that the employee did not have access to Social Security numbers, financial information, or claims/insurance information.

The Department of Justice can pursue criminal charges for HIPAA violations under the Social Security Act when individuals knowingly violate HIPAA. When an employee of a HIPAA-covered entity or business associate has their employment terminated, HIPAA still applies. The penalties for accessing and obtaining protected health information are severe and can include a hefty fine and jail time. A tier 1 violation carries a maximum penalty of up to a year in jail, a tier 2 violation carries a jail term of up to 5 years, and a sentence of up to 10 years in jail is possible for a tier 3 violation – obtaining PHI for personal gain or with malicious intent. Geisinger has confirmed that the unauthorized access was reported to law enforcement and the former Nuance employee has been arrested and is facing federal criminal charges.

Due to the high risk of unauthorized access to patient data by former employees, HIPAA-covered entities and their business associates are required to develop and implement procedures for terminating access to electronic protected health information when employment comes to an end under the workforce security standard of the HIPAA Security Rule – 45 CFR § 164.308 (3)(ii)(C). This incident clearly shows why it is vital to revoke access immediately upon termination of employment. The HHS’ Office for Civil Rights has taken action over violations of this Security Rule provision in 2020 (City of New Haven) and 2018 (Pagosa Springs Medical Center).

The Risant Health-owned health system has confirmed that Nuance Communications is mailing notifications to the affected individuals. Patients have been advised to review the statements they receive from their health plans and contact their health insurer if any services appear on their statements that they have not received. A helpline has been set up for individuals requiring further information about the breach – 855-575-8722. The helpline is manned from 9 a.m. to 9 p.m. ET Monday to Friday. Callers should quote engagement number B124651.

The breach was reported to the HHS’ Office for Civil Rights as affecting 1,276,026 individuals.

This article has been updated to state the number of people affected by the breach, as that information was unavailable at the time of the initial post.

The post Geisinger Health & Nuance Communications Data Breach Litigation Settled for $5 Million appeared first on The HIPAA Journal.

EHR Vendor Identifies Business Associate Data Breach

Data breaches have recently been announced by the EHR vendor CareTracker (Amazing Charts) and the Wisconsin health system, Marshfield Clinic.

CareTracker (Amazing Charts)

CareTracker Inc., doing business as Amazing Charts, an electronic health record and practice management platform provider, has been affected by a security incident at one of its vendors. On June 19, 2025, Amazing Charts identified unusual activity within a system managed by a third-party vendor. Immediate action was taken to secure the vendor’s environment, and an investigation was launched to determine the nature and scope of the activity.

The investigation confirmed unauthorized access to the service provider’s network between June 15, 2025, and June 19, 2025. Files were then reviewed to determine the individuals affected and the types of data involved. Due to the complexity of the data review, that process has only recently been completed.

Data potentially compromised in the incident included names in combination with one or more of the following: diagnoses, treatment information, physician names, medical record numbers, and health insurance information. Notification letters have recently been mailed to the affected individuals, and complimentary credit monitoring services have been offered for 12 months. At the time of notification, no misuse of the affected information had been identified.

Marshfield Clinic Health System

Marshfield Clinic Health System, an integrated health system serving Wisconsin and Michigan’s Upper Peninsula, identified unauthorized access to certain employee email accounts on or around August 27, 2025. The forensic investigation confirmed that an unauthorized third party had access to the accounts from August 26 to August 27, 2025, and potentially accessed or copied emails containing patient information. The types of information compromised in the incident varied from individual to individual and may have included names, medical record numbers, health insurance information, diagnosis, and treatment information.

The affected individuals are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post EHR Vendor Identifies Business Associate Data Breach appeared first on The HIPAA Journal.

Wakefield & Associates Announces Breach of Client Data

Wakefield & Associates, a Knoxville, Tennessee-based vendor that offers revenue cycle & collections services to healthcare providers, has recently announced a security incident that was identified on or around January 17, 2025.

Wakefield & Associates explained in a website data breach notice that suspicious activity was identified within its computer systems, and the forensic investigation confirmed unauthorized access to files containing the protected health information of patients of its healthcare clients. Some of those files were exfiltrated from its network on or before January 17, 2025. The breach notice issued to the Maine Attorney General states that initial access occurred on January 14, 2025.

Following an extensive review of the exposed data, Wakefield & Associates determined on September 24, 2025, that some of the exposed files contained protected health information that was provided to the company by its healthcare clients. The information potentially compromised in the incident was mostly limited to names and collection account information, although for some individuals, it included their Social Security number, financial account information, driver’s license number/state identification number, and/or health information.

Wakefield & Associates is issuing notification letters on behalf of its affected clients and is offering the affected individuals complimentary credit monitoring and identity theft protection services. Existing security policies and procedures have been reviewed, and additional safeguards implemented to prevent similar incidents in the future.

The breach notice does not state the nature of the cyberattack, but this appears to have been a ransomware attack by the Akira threat group. Akira claimed in a February 11, 2025, listing on its dark web data leak site that it stole 13 GB of data in the attack, including patient and employee information.

Wakefield & Associates said law enforcement was notified, and the data security incident has been reported to regulators. The HHS’ Office for Civil Rights (OCR) breach portal has not been updated since late September due to the government shutdown, so it is currently unclear how many individuals have been affected. The Montana Attorney General was informed that 26,624 state residents were affected, and the Maine Attorney General was notified that 41 Maine residents were affected. Northern Montana Health Care has confirmed that it was one of the affected clients.

The post Wakefield & Associates Announces Breach of Client Data appeared first on The HIPAA Journal.

Conduent Business Services Data Breach Affected More Than 62.2 Million Individuals

In January 2025, news first surfaced about a massive data breach at Conduent Business Services, a vendor that provides printing, mailing, document processing, payment integrity, and other back-office services to healthcare providers, health plans, and government agencies. Conduent first identified the security breach on January 13, 2025; however, the forensic investigation determined that hackers had access to its computer network for three months, starting on October 21, 2024. At the time, the true scale of the breach was unknown.

Based on breach reports submitted to the state attorneys general in Oregon and Texas, at least 25 million Americans were known to have been affected in those states alone; however, the full scale of the breach has only recently been confirmed. Conduent has provided an updated total to the Department of Health and Human Services Office for Civil Rights (OCR), indicating that the protected health information of at least 62,224,658 individuals was compromised in the incident.

When a data breach occurs at a business associate of a HIPAA-covered entity, it is ultimately the responsibility of each affected covered entity to ensure that notifications are issued about the breach, including to OCR, the media, and the affected individuals. HIPAA-covered entities must ensure that the notifications are issued, but they may delegate that responsibility to the business associate. Conduent offered to send notifications on behalf of its covered entity clients, but it is unclear whether each affected covered entity delegated that responsibility to Conduent. The total number of affected individuals may therefore be higher.

At more than 62.2 million individuals, the data breach ranks as the third-largest healthcare data breach of all time, behind the 2024 data breach at Change Healthcare, which affected an estimated 192.7 million individuals, and the 2015 data breach at Anthem Inc., which affected approximately 78.8 million individuals. Since 2009, OCR has been publishing summaries of healthcare data breaches affecting 500 or more individuals on its website, as required by the HITECH Act of 2009. The addition of the Conduent Business Services data breach sees the number of individuals affected by large healthcare data breaches increase to more than 1 billion. Between October 2009 and April 2026, the protected health information of 1,033,206,197 Americans has been breached.

May 12, 2026: Missouri Regulators Claim Conduent is Stonewalling State’s Data Breach Investigation

An investigation by regulators in Missouri into the 2024 hacking incident at Conduent Business Services has stalled. The Missouri Department of Commerce claims it is being stonewalled by Conduent, which has not provided the information it requires about the data breach.

Conduent, a provider of printing, mailroom, document processing, payment integrity, and other back-office support services, discovered in January 2025 that hackers accessed parts of its network between October 21, 2024, and January 13, 2025, and potentially exfiltrated files containing electronic protected health information. Data potentially compromised in the incident included names, addresses, social security numbers, and medical records. Conduent has taken steps to notify insurers, members, and law enforcement about the cybersecurity breach and has offered the affected individuals 12 months of complimentary credit monitoring services.

The breach was significant, affecting tens of millions of individuals. In a February 2025 filing with the Wisconsin Department of Agriculture, Trade, and Consumer Protection, Conduent estimated that 25 million individuals were affected; however, 16 months after the discovery of the data breach, the full scale of the data breach has yet to be confirmed.

On March 17, 2026, the Missouri Department of Commerce issued an insurance bulletin seeking information about the data breach, in which it strongly encouraged all insurers and other entities regulated by the department to determine if their members had been affected and, if so, to ensure that they are notified by Conduent. The Department of Commerce said it has been in direct contact with Conduent since it issued the bulletin; however, Conduent has been unwilling to provide the department with the information it requires to fully assess the impact of the data breach. While the Department of Commerce claims Conduent has been unwilling to answer the questions, Conduent may not be able to provide those answers.

“We are concerned and disappointed that Conduent has not provided sufficient information for regulators to fully assess the potential impact of this breach,” DCI Director Angela Nelson said. “Clear and timely communication is critical in these situations, and we are continuing to seek the details needed to evaluate any risk to Missouri insurance consumers.” The matter has now been escalated by the Department of Commerce, which issued another bulletin requesting insurers share information directly with the department about any Conduent services used, or those of its affiliates, prior to or during the period of the breach, along with information about the nature of those services. “We are committed to using every tool available to understand the scope of this incident and to ensure Missourians have the information and resources needed to protect themselves,” Director Nelson said.

“Because of Conduent’s failure to provide information, the Department asks that any insurer or other entity regulated by the Department that utilized the services of Conduent or any of its affiliates prior to or during the time period of the cybersecurity breach, either directly or indirectly, contact the Department’s Market Conduct Section,” states the Department of Commerce in the bulletin.

Conduent issued a statement confirming that it is cooperating with the Department of Commerce to the full extent possible without violating any laws, regulations, or contractual obligations, and said it will continue to respond to the department’s requests. “The cybersecurity incident affected Conduent Business Services, which is not a licensee with DCI. Conduent agreed to provide notice on behalf of its clients; however, Conduent does not have visibility regarding which of its clients are licensees with DCI, and it has no authority to speak with DCI on behalf of any clients.” Conduent has contacted all of its clients and advised them about the Department of Commerce bulletin, and asked licensees with affected Missouri residents to submit a report directly to the Department of Commerce.

In addition to requesting information from the affected clients, the Department of Commerce is encouraging all consumers who were notified that they have been affected to review the communications they receive carefully, and suggests that they should continue to monitor their financial and credit activity. The deadline for signing up for the complimentary credit monitoring services has passed, so the Department of Commerce recommends that consumers check their free credit reports and consider placing a fraud alert or credit freeze with credit reference agencies.

February 13, 2026: Texas Attorney General Investigates 25M+ Conduent Business Services Data Breach

Texas Attorney General Ken Paxton has announced that his office has launched an investigation into the data breach at Conduent Business Services, stating that this could potentially be the largest healthcare data breach in U.S. history. While it is certain that the data breach is one of the largest, the 2024 data breach at Change Healthcare will take some beating. That data breach affected 192.7 million individuals.

The U.S. list of confirmed victims has continued to grow, with Premera Blue Cross, Humana, Volvo Group North America (17,000 employees), and various Blue Cross and Blue Shield (BCBS) branches (Texas, Montana, Illinois) known to have been affected. The full list of affected entities has not been disclosed.

As reported below, the Conduent data breach involved unauthorized access to information such as names, birthdates, addresses, Social Security numbers, medical information, and health insurance information. Hackers had access to its systems from October 21, 2024, to January 13, 2025, and more than a year after the incident was detected, the total number of affected individuals has yet to be confirmed.

“The Conduent data breach was likely the largest breach in U.S. history,” Mr. Paxton said in a statement. “If any insurance giant cut corners or has information that could help us prevent breaches like this in the future, I will work to uncover it.”

Attorney General Paxton is seeking information on the security policies, practices, and protocols at Conduent to determine if the company complied with state law, and has requested evidence from one of the victims: Blue Cross Blue Shield of Texas. Conduent provides mailroom, payment, and back-office support to BCBS of Texas, which requires access to certain types of member information. BCBS of Texas has yet to disclose how many of its members were affected, but overall, Attorney General Paxton has been informed that more than 15.49 million individuals in Texas have been affected. That total has increased at least twice since the initial notification was issued.

“From the outset of this incident, we acted promptly and in alignment with incident‑response protocols to contain and investigate the issue. We engaged leading third‑party cybersecurity experts, disclosed the incident through an 8-K filing, notified clients and relevant authorities, and worked to support those impacted by the event, including most recently sending notifications on clients’ behalf. To date, there is no evidence that any underlying data has been misused, posted, or made publicly available, and we continue to monitor closely,” a spokesperson for Conduent said in a statement provided to The HIPAA Journal. “We look forward to working cooperatively with the Texas Attorney General’s Office to provide the relevant information, consistent with our longstanding practice of constructive engagement with regulators.”

February 4, 2026: Conduent Business Services Data Breach Victim Count Swells to Over 25M

Conduent Business Services in New Jersey had previously confirmed in a breach report to the Oregon Attorney General that a 2024 hacking incident affected 10.5 million individuals. While already a massive data breach and one of the largest healthcare data breaches to be announced in 2025, the victim count has grown considerably.

A breach report submitted to the Texas attorney general indicated that almost 14.8 million individuals in Texas alone (14,791,500) had their personal and protected health information compromised in the incident. That total has since been updated to 15,494,592 individuals as the investigation and data review have progressed. The initial breach report to the Texas attorney general in October 2025 indicated that around 4 million individuals were affected. In addition to Oregon and Texas, notifications have been sent to state attorneys general in California, Delaware, Indiana, Maine, Massachusetts, New Hampshire, and Vermont. Out of those, Indiana (5,892 affected individuals) and Maine (374 individuals) have published figures on the number of affected individuals.

Conduent Business Services has sent several notifications to the New Hampshire attorney general confirming that data was compromised connected with one or more covered entities and data owners. Since the initial notification to the New Hampshire Attorney General on October 8, 2025, Conduent explained in the letters that a further 67,555 state residents have been confirmed as affected.

The SafePay ransomware group claimed responsibility for the attack on Conduent Business Services in February 2025, adding the company to its dark web data leak site. SafePay claimed to have stolen 8.5 terabytes of data in the attack and threatened to publish the stolen data if the ransom was not paid. Conduent is no longer listed on the site.

Many HIPAA-covered entities and government agencies contract with Conduent Business Services, which provides mailroom and other back-office services. Conduent’s client list includes health insurance giants such as Humana – a top 5 U.S. health insurer, Premera Blue Cross – the largest health insurer in the Pacific Northwest, Blue Cross and Blue Shield of Texas – the largest health insurer in Texas, and Blue Cross and Blue Shield of Montana – the largest health insurer in Montana.

Conduent Business Services has offered to issue notification letters to the affected individuals on behalf of its HIPAA-covered entity clients, but has yet to confirm the total number of affected individuals. The HHS’ Office for Civil Rights breach portal still lists the breach as affecting 42,616 individuals. Gold Coast Health Plan has confirmed that it was affected, although only 540 of its plan members had their data compromised in the incident.

While it may appear straightforward to determine the data compromised in an incident and the number of individuals affected, data breach investigations and data reviews can be complicated, and it can take many weeks or months to obtain an accurate list of the affected individuals. Conduent has been providing regular updates to state attorneys general as the investigation and data review have progressed, although it may be some time before the true scale of the data breach is confirmed. Conduent has issued a statement confirming that it plans to finish issuing notifications in early 2026.

November 11, 2025: Conduent Anticipates $25M Data Breach Cost by Q1, 2026

In its first-quarter earnings report, Conduent said it did not experience any material impacts to its operating environment or costs from the January 2025 cyberattack itself; however, it did incur $9 million in breach costs related to notifications by the end of September 2025 and anticipates a further $16 million in costs will be incurred by the first quarter of 2026, according to its third-quarter earnings report. Conduent said it holds a cyber insurance policy and anticipates that any additional notification costs will be covered by the insurance policy.

Further costs may be incurred due to the impacted data, reputational harm, litigation, and regulatory actions, which could impact the company’s financial position. As reported below, several lawsuits have already been filed in response to the data breach, and Conduent is certain to be investigated by the HHS’ Office for Civil Rights and state attorneys general. Regulatory fines may be imposed if Conduent is found to have violated state or federal regulations.

November 7, 2025: Lawsuits Mount Over 10.5 Million-Record Conduent Data Breach

A data breach affecting more than 10.5 million individuals was certain to trigger a barrage of lawsuits, and litigation has been swift, with at least 9 class action lawsuits already filed in response to the Conduent data breach in New Jersey federal court. That total is certain to grow over the coming days and weeks, as many law firms have announced that they have opened investigations regarding potential class action litigation.

The lawsuits make similar claims – that Conduent was negligent by failing to adequately protect its network against unauthorized access and for its alleged failure to provide adequate notifications to the individuals affected by the data breach. The cyberattack was first detected by Conduent in January 2025, three months after hackers first gained access to its network. Conduent first announced the data breach three months later, confirming that sensitive data had been exposed and that the incident affected a substantial number of individuals.

It naturally takes time to investigate any data breach and to determine the number of individuals affected and the types of data involved; however, the lawsuits take issue with the length of that process. It has taken 10 months from when the cyberattack was first detected for the scale of the breach to become clear and for the affected individuals to be notified that their sensitive information has been compromised. Notification letters started to be sent in October 2025, one year after Conduent’s network was first accessed by unauthorized individuals.

In addition to negligence and negligence per se, the lawsuits assert claims such as breach of third-party beneficiary contract and unjust enrichment, and seek a jury trial, compensatory, statutory, and punitive damages, and injunctive relief, requiring the court to order Conduent to implement a range of security measures to ensure sensitive data is adequately protected.

The threat group behind the attack may have been the Safepay ransomware group, which added Conduent to its data leak site in January 2025, although Conduent is not currently listed on the Safepay data leak blog. That often means that a ransom has been paid or the stolen data has been sold, although ransomware groups have been known to fabricate claims.

Class action lawsuits are mounting, but Conduent is also likely to face regulatory scrutiny over the data breach. States are likely to investigate a data breach of this magnitude to determine whether appropriate cybersecurity measures had been implemented in line with state laws and the HIPAA Security Rule. Questions are likely to be asked about how the hackers were able to gain access to such a large amount of sensitive data.

Conduent will also face scrutiny from the HHS’ Office for Civil Rights, which will seek to establish whether the data breach was the result of HIPAA compliance failures. While OCR HIPAA compliance investigations often take many months or years, OCR has indicated it is prioritizing high-impact incidents, as it did with the cyberattack on Change Healthcare, which affected north of 190 million individuals. There is, at this stage, no indication that Conduent has violated any regulations at the federal or state level.

October 28, 2025: More Than 10.5 Million Patients Affected by Conduent Business Services Data Breach

A data breach at a business associate of several HIPAA-covered entities and government agencies has resulted in the exposure and potential theft of the protected health information of more than 10.5 million patients. The Conduent Business Services data breach is the largest healthcare data breach to be announced so far this year, affecting almost twice as many individuals as the second-largest data breach, which was reported earlier this year by Yale New Haven Health. It also ranks as the 8th largest healthcare data breach in history.

Conduent Business Services provides a range of back-office services, including printing, mailing, document processing, payment integrity services, and other support services to government agencies and healthcare organizations. It is currently unknown how many HIPAA-regulated entities have been affected by the data breach.

Blue Cross and Blue Shield of Montana recently announced that it had been affected and that notification letters are being mailed to 462,000 individuals. Blue Cross and Blue Shield of Texas has announced that approximately 310,000 UT Select and UT Care plan members have been affected. The incident is also known to have affected Humana customers and Premera Blue Cross members, although it is unclear how many. Conduent provides services to government agencies such as the Wisconsin Department of Children and Families and Oklahoma Human Services (OHS), which experienced a temporary disruption to some of their services due to the outage in January, although OHS was informed that it did not have sensitive data exposed in the incident.

State regulators have been informed that 10,515,849 patients have been affected, including more than 4 million individuals in Texas. It is unclear if any non-healthcare clients had data compromised in the incident. The Conduent Business Services data breach was reported to the U.S. Securities and Exchange Commission (SEC) in April. In the SEC filing, Conduent explained that a threat actor gained access to a limited portion of its network IT environment and obtained the data of “a significant number” of people. The incident is not yet shown on the HHS’ Office for Civil Rights (OCR) breach portal, which has not been updated by OCR since September 24, 2025, due to the government shutdown.

The intrusion was detected on January 13, 2025. Assisted by third-party digital forensics experts, Conduent determined that initial access occurred on October 21, 2024, with the threat actor maintaining access for almost three months until Conduent secured its network on January 13, 2025. Conduent said it restored access to the affected systems within days, and in some cases, within hours, and the incident did not have any material impact on its operations.

The investigation confirmed that the threat actor exfiltrated files associated with some of its clients. Due to the complexity of the data involved, it has taken several months to complete the file review and determine the individuals affected and the types of data involved. Individual notifications are now being mailed to the affected individuals.

Information compromised in the incident varies from company to company and individual to individual, potentially involving names, dates of birth, Social Security numbers, treatment information, and claims information. Based on the notice provided to the California Attorney General, complimentary credit monitoring and identity theft protection services do not appear to have been offered.

While the total cost of the cyberattack is not yet known, Conduent said in its May 2025 first-quarter earnings report that it incurred $25 million in direct costs related to the breach response. A cyber insurance policy is held, which will cover a proportion of the cost.

This post will be updated when further information is released.

The post Conduent Business Services Data Breach Affected More Than 62.2 Million Individuals appeared first on The HIPAA Journal.