Conduent Anticipates Data Breach Cost to Rise to $50M by Q1, 2026

Posted by Steve Alder

In its first-quarter earnings report, Conduent said it did not experience any material impacts to its operating environment or costs from the January 2025 cyberattack itself; however, it did incur $25 million in non-recurring expenses from direct response costs. Those losses have continued to increase, with a further $9 million added to that total for breach notifications through the end of September, according to its third-quarter earnings report.

Conduent also anticipates incurring a further $16 million in costs related to breach notifications by the first quarter of 2026, but said it holds a cyber insurance policy and anticipates that any additional notification costs will be covered by the insurance policy.

Further costs may be incurred due to the impacted data, reputational harm, litigation, and regulatory actions, which could impact the company’s financial position. As reported below, several lawsuits have already been filed in response to the data breach, and Conduent is certain to be investigated by the HHS’ Office for Civil Rights and state attorneys general. Regulatory fines may be imposed if Conduent is found to have violated state or federal regulations.

November 7, 2025: Lawsuits Mount Over 10.5 Million-Record Conduent Data Breach

A data breach affecting more than 10.5 million individuals was certain to trigger a barrage of lawsuits, and litigation has been swift, with at least 9 class action lawsuits already filed in response to the Conduent data breach in New Jersey federal court. That total is certain to grow over the coming days and weeks, as many law firms have announced that they have opened investigations regarding potential class action litigation.

The lawsuits make similar claims – that Conduent was negligent by failing to adequately protect its network against unauthorized access and for its alleged failure to provide adequate notifications to the individuals affected by the data breach. The cyberattack was first detected by Conduent in January 2025, three months after hackers first gained access to its network. Conduent first announced the data breach three months later, confirming that sensitive data had been exposed and that the incident affected a substantial number of individuals.

It naturally takes time to investigate any data breach and to determine the number of individuals affected and the types of data involved; however, the lawsuits take issue with the length of that process. It has taken 10 months from when the cyberattack was first detected for the scale of the breach to become clear and for the affected individuals to be notified that their sensitive information has been compromised. Notification letters started to be sent in October 2025, one year after Conduent’s network was first accessed by unauthorized individuals.

In addition to negligence and negligence per se, the lawsuits assert claims such as breach of third-party beneficiary contract and unjust enrichment, and seek a jury trial, compensatory, statutory, and punitive damages, and injunctive relief, requiring the court to order Conduent to implement a range of security measures to ensure sensitive data is adequately protected.

The threat group behind the attack may have been the Safepay ransomware group, which added Conduent to its data leak site in January 2025, although Conduent is not currently listed on the Safepay data leak blog. That often means that a ransom has been paid or the stolen data has been sold, although ransomware groups have been known to fabricate claims.

Class action lawsuits are mounting, but Conduent is also likely to face regulatory scrutiny over the data breach. States are likely to investigate a data breach of this magnitude to determine whether appropriate cybersecurity measures had been implemented in line with state laws and the HIPAA Security Rule. Questions are likely to be asked about how the hackers were able to gain access to such a large amount of sensitive data.

Conduent will also face scrutiny from the HHS’ Office for Civil Rights, which will seek to establish whether the data breach was the result of HIPAA compliance failures. While OCR HIPAA compliance investigations often take many months or years, OCR has indicated it is prioritizing high-impact incidents, as it did with the cyberattack on Change Healthcare, which affected north of 190 million individuals. There is, at this stage, no indication that Conduent has violated any regulations at the federal or state level.

October 28, 2025: More Than 10.5 Million Patients Affected by Conduent Business Solutions Data Breach

A data breach at a business associate of several HIPAA-covered entities and government agencies has resulted in the exposure and potential theft of the protected health information of more than 10.5 million patients. The Conduent Business Solutions data breach is the largest healthcare data breach to be announced so far this year, affecting almost twice as many individuals as the second-largest data breach, which was reported earlier this year by Yale New Haven Health. It also ranks as the 8th largest healthcare data breach in history.

Conduent Business Solutions provides a range of back-office services, including printing, mailing, document processing, payment integrity services, and other support services to government agencies and healthcare organizations. It is currently unknown how many HIPAA-regulated entities have been affected by the data breach.

Blue Cross and Blue Shield of Montana recently announced that it had been affected and that notification letters are being mailed to 462,000 individuals. Blue Cross and Blue Shield of Texas has announced that approximately 310,000 UT Select and UT Care plan members have been affected. The incident is also known to have affected Humana customers and Premera Blue Cross members, although it is unclear how many. Conduent provides services to government agencies such as the Wisconsin Department of Children and Families and Oklahoma Human Services (OHS), which experienced temporary disruption to some of their services due to the outage in January, although OHS was informed that it did not have sensitive data exposed in the incident.

State regulators have been informed that 10,515,849 patients have been affected, including more than 4 million individuals in Texas. It is unclear if any non-healthcare clients had data compromised in the incident. The Conduent Business Solutions data breach was reported to the U.S. Securities and Exchange Commission (SEC) in April. In the SEC filing, Conduent explained that a threat actor gained access to a limited portion of its network IT environment and obtained the data of “a significant number” of people. The incident is not yet shown on the HHS’ Office for Civil Rights (OCR) breach portal, which has not been updated by OCR since September 24, 2025, due to the government shutdown.

The intrusion was detected on January 13, 2025. Assisted by third-party digital forensics experts, Conduent determined that initial access occurred on October 21, 2024, with the threat actor maintaining access for almost three months until Conduent secured its network on January 13, 2025. Conduent said it restored access to the affected systems within days, and in some cases, within hours, and the incident did not have any material impact on its operations.

The investigation confirmed that the threat actor exfiltrated files associated with some of its clients. Due to the complexity of the data involved, it has taken several months to complete the file review and determine the individuals affected and the types of data involved. Individual notifications are now being mailed to the affected individuals.

Information compromised in the incident varies from company to company and individual to individual, potentially involving names, dates of birth, Social Security numbers, treatment information, and claims information. Based on the notice provided to the California Attorney General, complimentary credit monitoring and identity theft protection services do not appear to have been offered.

While the total cost of the cyberattack is not yet known, Conduent said in its May 2025 first-quarter earnings report that it incurred $25 million in direct costs related to the breach response. A cyber insurance policy is held, which will cover a proportion of the cost.

This post will be updated when further information is released.

The post Conduent Anticipates Data Breach Cost to Rise to $50M by Q1, 2026 appeared first on The HIPAA Journal.

Data Breaches Announced by ModMed, LifeBridge Health & Right at Home

Posted by Steve Alder

Data breaches have been announced by the EHR provider Modernizing Medicine (ModMed), the Baltimore healthcare provider LifeBridge Health, and the home health care provider Right at Home.

Modernizing Medicine

Modernizing Medicine (ModMed), a provider of specialty-specific electronic health record software, has recently notified state attorneys general about a July 2025 security incident involving theft of data from its systems. Suspicious activity was identified on its computer servers on July 21, 2025. An investigation was launched to determine the cause of the activity, and on July 29, 2025, it was unauthorized access to its servers was confirmed between July 9, 2025, and July 10, 2025, during which time, files containing sensitive data were copied from the servers.

The files were reviewed and found to contain personal and protected health information such as full names, dates of birth, addresses, phone numbers, email addresses, Social Security numbers, medical record numbers, patient account numbers, provider and practice names, billing and diagnostic codes, prescriptions/medications, diagnosis and treatment information, bank/financial account information, driver’s license numbers/government ID cards, and health insurance information. ModMed said full medical records were not involved, and the types of information compromised vary from individual to individual.

The affected healthcare providers were notified on September 19, 2025, and notification letters started to be mailed to the affected individuals on October 17, 2025. ModMed is offering complimentary credit monitoring and identity theft protection services to individuals whose Social Security numbers were compromised in the incident, and steps have been taken to improve security to prevent similar incidents in the future. Due to the government shutdown, the HHS’ Office for Civil Rights breach portal has not been updated in a month, so it is currently unclear how many individuals have been affected.

LifeBridge Health

LifeBridge Health, a non-profit healthcare corporation serving patients in and around Baltimore, Maryland, has recently informed patients that some of their protected health information was compromised in a data breach earlier this year. The breach involved one of its vendors, Oracle Health (formerly Cerner). LifeBridge Health was one of many healthcare providers to be affected. Hackers gained access to a legacy system as early as January 22, 2025, and obtained patient information such as names, medical record numbers, Social Security numbers, physician names, diagnoses, test results, medications, medical images, and treatment information. LifeBridge Health said the breach was confined to Oracle Health servers, and its own systems were unaffected.

Oracle Health notified LifeBridge Health about the data breach in March 2025, with notifications reportedly delayed at the request of law enforcement. Oracle Health provided LifeBridge Health with a final list of the affected individuals on September 19, 2025. The data breach was announced by LifeBridge Health on October 16, when notification letters started to be mailed to the affected individuals. Two years of complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. It is currently unclear how many individuals have been affected.

Right at Home

Ever Care Corporation, which does business as Right at Home, a provider of in-home care to seniors and adults with disabilities, experienced a hacking incident that likely involved the theft of sensitive patient information. Suspicious network activity was identified on September 3, 2025, and an investigation was launched to determine the cause of the activity. Right at Home confirmed that the activity was due to an unauthorized actor, who is thought to have acquired files from its network on September 3, 2025. The review of the affected files was completed on October 6, 2025. There is currently no substitute data breach notice on the Right at Home website, and the types of information involved are not shown on the notifications published on attorneys’ general websites. The exact types of information involved are detailed in the individual notification letters. Right at Home is paying for single-bureau credit monitoring, credit score, and credit report services for the affected individuals.  It is currently unclear how many individuals have been affected.

While not described by Right at Home as a ransomware attack, a ransomware group claimed responsibility for the attack. The Sinobi ransomware group, which has attacked several healthcare providers in recent months, claimed to have exfiltrated around 50 GB of data and encrypted files. Right at Home was listed on its data leak site on October 8, 2025. As such, any individual receiving a notification letter should sign up for the credit services being offered.

The post Data Breaches Announced by ModMed, LifeBridge Health & Right at Home appeared first on The HIPAA Journal.