If you’ve ever used Medicaid, received child support payments, or accessed government benefits in the United States, a company called Conduent probably has your most sensitive personal information. You almost certainly never agreed to this, and you probably never heard of them until now.
A ransomware attack that began in late 2024 has now been confirmed to have compromised personal data of more than 25 million Americans — making it potentially the largest data breach in U.S. history. And the number is still growing.
What Happened
Conduent is a government contractor that processes data for Medicaid programs in 23 states plus Puerto Rico and Washington D.C., handles child support payments, manages government benefits disbursement, and performs various administrative functions for state agencies. The company processes over 155 million Medicaid claims annually and supports services for approximately 100 million U.S. residents.
In January 2025, the company disclosed a “cyber incident” that disrupted some of its services. What it didn’t immediately reveal was the scale of the compromise.
According to cybersecurity researchers and state attorney general filings, hackers from the SafePay ransomware group had access to Conduent’s systems from October 21, 2024, through January 13, 2025 — nearly three months of undetected access. During that time, they exfiltrated approximately 8 terabytes of data.
The stolen information includes:
- Full names
- Dates of birth
- Home addresses
- Social Security numbers
- Health insurance information
- Medical data
This is not merely an inconvenience. This is identity theft starter kit.
The Shadow Data Problem
What makes this breach particularly troubling is that most victims had no idea Conduent held their data. They signed up for Medicaid or applied for government benefits — they didn’t sign up for Conduent.
This is the reality of modern data processing: when you interact with a government agency, your information often flows through multiple private contractors, subcontractors, and service providers. Each of these represents a potential point of failure. Each is a target. And you have no visibility into or control over how your data moves through this hidden infrastructure.
Conduent is a prime example. They’re not a household name, but they touch the data of one in three Americans. Their clients include state Medicaid agencies, child support enforcement offices, unemployment systems, and more. When you access these services, your data goes to Conduent — whether you know it or not.
The Scope Keeps Growing
Initial reports suggested around 4 million people were affected. Then it became 10 million. As of late February 2026, state notifications have confirmed at least 25 million victims:
- Texas: 15.4 million people (up from an initial estimate of 4 million)
- Oregon: 10.5 million people
And those are just two states. As more state attorney general offices complete their investigations, the number is expected to grow further.
Notification letters are still being mailed. Conduent expects to complete consumer notifications by mid-April 2026 — more than a year after the attackers first gained access.
What You Can Do
If you’ve used Medicaid, received government benefits, or accessed child support services in any U.S. state, you should assume your data may have been compromised. Don’t wait for a notification letter.
Freeze your credit immediately. Contact all three credit bureaus (Equifax, Experian, TransUnion) and place a security freeze on your credit files. This prevents anyone from opening new accounts in your name. It’s free and the single most effective step you can take.
Monitor your medical records. Medical identity theft is harder to detect and can have serious consequences — bills for services you never received, incorrect medical histories that could affect your care. Request your medical records and review them for unfamiliar entries.
File your taxes early. Tax refund fraud using stolen Social Security numbers is common after breaches of this scale. Filing early prevents criminals from filing a fraudulent return in your name.
Be skeptical of follow-up contacts. Criminals often use breach data to craft convincing phishing attempts. If someone calls claiming to be from Medicaid, your state benefits office, or Conduent itself, don’t provide any information. Hang up and call the official number directly.
The Bigger Picture
This breach highlights the fundamental fragility of centralized data systems — and the particular risk posed by the invisible infrastructure of government contractors.
When private companies handle government data at scale, they become high-value targets. They hold data on millions of people who never chose to be their customers. And when those companies fail to adequately secure their systems — as appears to have happened here, with attackers having nearly three months of undetected access — the consequences fall on citizens who had no say in the matter.
The EU’s GDPR framework, which I Am NOT The Product operates under, takes a fundamentally different approach: data minimization, user control, and strict limits on how personal information can be processed and shared. The Conduent breach is a case study in why that approach matters.
Your most sensitive personal information shouldn’t be floating through hidden corporate systems you’ve never heard of. You should know who has your data. You should have a say in how it’s used. And when something goes wrong, you shouldn’t find out a year later.
The 25 million Americans affected by this breach deserved better. So does everyone else.