A Government Contractor Got Hacked. 25 Million Americans Just Found Out.
The Conduent breach started at 400,000 victims. Then 4 million. Now 25 million and climbing. How did a ransomware attack on Medicaid data get this bad?
Twenty-five million Americans just learned their Social Security numbers, medical records, and health insurance details were stolen 16 months ago.
The number won't stop climbing. Conduent — the government contractor running Medicaid, food stamps, and public benefits across multiple states — first said 400,000 Texans were hit. Then 4 million. Then 15 million. Now it's 25 million across Texas and Oregon alone. Other states haven't reported yet.
One of the largest healthcare data breaches in US history. And it's still growing.
What happened
October 21, 2024: Hackers break into Conduent's systems.
For nearly three months, they roam freely through files holding Social Security numbers, medical histories, insurance details, addresses, and birthdates. They grab 8+ terabytes — roughly 2 million high-res photos worth of people's most sensitive information.
January 2025: Conduent discovers the breach.
October 2025: They finally start notifying victims. Ten months after discovery.
February 2026: The real scale emerges. Texas Attorney General Ken Paxton announces 23 million Texans were hit. Oregon adds another 2 million. The numbers are still incomplete.
Who got hit
Conduent handles Medicaid enrollment, food stamps, and health insurance marketplaces. The victims weren't shopping at luxury retailers — they were applying for public assistance or enrolling in state healthcare.
The SafePay ransomware gang claimed responsibility. They target healthcare and demand payment to keep stolen data offline. Whether Conduent paid hasn't been disclosed.
Why this one hits different
Equifax's 2017 breach exposed 147 million Americans. But that was credit data — people expect that risk.
Conduent's victims are mostly low-income families who handed over everything to access public benefits. You can't get Medicaid without giving the contractor your Social Security number, medical history, the lot. You can't freeze it. You can't opt out.
And Texas and Oregon are just two states. Conduent operates in dozens. The final number could be far higher.
What's next
Stolen Social Security numbers don't expire. Medical histories don't change. This data will circulate on dark web markets for years, fueling identity theft, insurance fraud, and targeted scams.
Conduent's offering credit monitoring. That covers financial identity theft. It does nothing for medical identity theft — when someone uses your stolen insurance to get treatment, and their medical history merges with yours.
Texas AG Ken Paxton opened an investigation. Oregon's doing the same. But investigations don't un-steal data. The victims — people who trusted a government contractor because they had no other option — are left dealing with this for decades.
The breach happened October 2024. We're still learning how bad it is in February 2026. That delay isn't an accident. It's the pattern.
Keep Reading
One Hacker, One AI, 150 Gigabytes of Government Data
A lone hacker jailbroke Claude AI and stole 195 million Mexican taxpayer records in six weeks. This is the first confirmed case of AI being weaponized to breach a government — and it won't be the last.
Hacker Jailbroke Claude AI, Stole 150GB of Mexican Government Data
A chatbot refused to help with malicious activity. The attacker kept asking. Claude complied, and 195 million taxpayer records vanished.
Jailbroken AI Just Hacked a Government
Hackers used a jailbroken Claude AI to breach the Mexican government. First confirmed case of AI weaponized for cyberattacks. The tools we built to help are being turned against us.
Explore Perspectives
Get this delivered free every morning
The daily briefing with perspectives from 7 regions — straight to your inbox.