In early 2026, a massive data breach at Conduent Business Services exposed the personal records of more than 25 million Americans — including Social Security numbers, medical data, and health insurance information. At least 15.4 million people in Texas and 10.5 million in Oregon were affected, making it one of the largest data breaches in United States history.

If you live in Texas or Oregon, or if you have ever received government benefits like Medicaid or SNAP, your personal information may have been stolen. Here is exactly what happened, who is affected, and what you need to do right now to protect yourself.

What happened in the Conduent data breach?

Conduent Business Services is a large government contractor. It provides printing, mailroom, and back-office support for government agencies in more than 30 states. If you have ever received a Medicaid payment, a SNAP benefits card, or other government assistance, there is a good chance Conduent handled some of your personal information behind the scenes — even if you have never heard of the company.

Between October 21, 2024 and January 13, 2025, attackers broke into Conduent’s computer systems and spent roughly three months inside the company’s network. During that time, they quietly copied approximately 8 terabytes of data — an enormous amount of personal information. To put that in perspective, 8 terabytes is enough to hold over 4 billion pages of text documents.

The breach was not publicly disclosed until early 2026, when state agencies began sending out notifications to affected individuals. On February 12, 2026, Texas Attorney General Ken Paxton launched a formal investigation into both Conduent and Blue Cross Blue Shield of Texas, calling it “the largest data breach in US history.”

Who is affected by this breach?

The breach affects at least 25 million people across multiple states:

  • Texas — 15.4 million residents, primarily those enrolled in Medicaid, SNAP, and other state benefit programs
  • Oregon — 10.5 million residents with similar government program enrollments
  • Blue Cross Blue Shield of Texas clients — members whose health insurance data was processed through Conduent’s systems
  • Other states — Conduent handles government payments in more than 30 states, so additional notifications may follow as the investigation continues

You do not need to have interacted with Conduent directly to be affected. If your state used Conduent to process your benefits, your data may have been in their systems without your knowledge.

What data was exposed?

This is what makes this breach especially dangerous. The stolen data includes some of the most sensitive categories of personal information:

  • Full names — used for identity theft and targeted phishing
  • Social Security numbers — the single most valuable piece of data for identity fraud, used to open credit cards, take out loans, and file fake tax returns in your name
  • Medical records — diagnoses, treatment history, and provider information
  • Health insurance information — policy numbers, plan details, and claims data
  • Other personally identifiable information — addresses, dates of birth, and contact details

When attackers have your Social Security number combined with your name, address, and date of birth, they have everything they need to impersonate you. This is not a breach where you just get more spam emails — this is the kind of breach that can lead to fraudulent credit accounts, stolen tax refunds, and medical identity theft, as reported by TechCrunch and Malwarebytes.

How can you check if your email was exposed?

If you used an email address to sign up for Medicaid, SNAP, Blue Cross Blue Shield of Texas, or any other government program processed through Conduent, that email may have been included in the stolen data.

You can check your email right now on EmailLeaked to see if it appears in this breach or any of the 962+ other known breaches in our database. It takes less than 10 seconds and is completely free.

You should also watch your physical mailbox for an official notification letter from Conduent or your state agency. Companies are legally required to notify affected individuals, but these letters can take weeks or months to arrive. Checking proactively is faster and gives you a head start on protecting yourself.

What should you do right now if you are affected?

If you are in Texas, Oregon, or any state where Conduent handles government benefits — or if you are a Blue Cross Blue Shield of Texas member — take these five steps immediately. Do not wait for an official notification letter.

Step 1 — Freeze your credit with all three bureaus

Because Social Security numbers were exposed, credit fraud is a serious risk. A credit freeze prevents anyone from opening new credit accounts in your name. It is free and takes about 10 minutes per bureau.

Contact each one directly:

  • Equifax — equifax.com/personal/credit-report-services or call 1-800-685-1111
  • Experian — experian.com/freeze or call 1-888-397-3742
  • TransUnion — transunion.com/credit-freeze or call 1-888-909-8872

A credit freeze does not affect your existing accounts or your credit score. You can temporarily lift it whenever you need to apply for credit.

Step 2 — Change your passwords

If you used the same password for your government benefits account as you use on other websites, change it everywhere right now. Attackers routinely try stolen credentials on banking sites, email providers, and social media within hours of getting the data.

Use a unique, random password for every account — at least 16 characters. A password manager makes this easy by generating and remembering strong passwords for you.

Step 3 — Enable two-factor authentication

Turn on two-factor authentication on every important account — especially your email, banking, and health insurance portals. This adds a second layer of security so that even if someone has your password, they still cannot log in without a code from your phone.

Step 4 — Monitor your medical and financial accounts

Check your bank statements, credit card statements, and explanation of benefits (EOB) documents from your health insurer for any activity you do not recognize. Medical identity theft is harder to detect than financial fraud because you may not notice unauthorized claims until months later.

Set up alerts on your bank accounts so you get notified of any charges over a small amount. Most banks and credit card companies let you do this through their app.

Step 5 — File an IRS Identity Protection PIN

Since Social Security numbers were exposed, there is a risk of someone filing a fraudulent tax return in your name. You can get an Identity Protection PIN from the IRS at irs.gov/ippin. This is a six-digit number that the IRS uses to verify your identity when you file your taxes. Without it, a fraudulent return will be rejected.

How did the attackers stay inside for three months?

One of the most concerning details about this breach is the timeline. The attackers first gained access on October 21, 2024, and were not detected until January 13, 2025 — nearly three months later. During that time, they had free access to move through Conduent’s systems and copy data.

This is unfortunately common in large-scale breaches. As of 2026, the average time to detect a breach across all industries is still over 200 days. The attackers used this window to exfiltrate approximately 8 terabytes of data — a staggering amount that suggests they had deep access to Conduent’s core systems.

The fact that a single government contractor held this much sensitive data for residents across dozens of states raises serious questions about how personal information is protected when it passes through third-party vendors. You trusted your state government with your information, but your state handed it to a contractor you never heard of — and that contractor failed to detect intruders for months.

How can you protect yourself from breaches like this in the future?

You cannot prevent a company from being breached. But you can limit the damage when it happens.

  • Use a unique password for every account — if one account is breached, no other account is at risk. A password manager handles this automatically.
  • Enable two-factor authentication everywhere — this is the single most effective step you can take. Read our full guide on 2FA.
  • Freeze your credit by default — keep it frozen and only lift it temporarily when you need to apply for credit. This stops most identity theft cold.
  • Check your email regularly — use EmailLeaked to find out as soon as your email appears in a new breach, before attackers can act on it.
  • Watch for phishing — after any major breach, scammers send fake emails pretending to be the breached company. Never click links in emails claiming to be breach notifications. Go directly to the company’s website instead.

Understanding how hackers get your email and what happens to stolen data can also help you stay one step ahead.

Frequently asked questions

How many people were affected by the Conduent data breach?

At least 25 million Americans were affected. Texas had the largest number at 15.4 million residents, followed by Oregon with 10.5 million. Since Conduent operates in more than 30 states, the final number could be even higher as additional states complete their investigations and send notifications.

What data was exposed in the Conduent breach?

The stolen data includes names, Social Security numbers, medical records, and health insurance information. Approximately 8 terabytes of data were exfiltrated during the three-month period the attackers had access to Conduent’s systems. This is one of the most sensitive combinations of data possible in a breach.

When did the Conduent breach happen?

The breach occurred between October 21, 2024 and January 13, 2025. The attackers spent approximately three months inside Conduent’s network before being detected. The breach was publicly disclosed in early 2026 when state agencies began notifying affected individuals and the Texas Attorney General launched a formal investigation.

What should I do if I was affected by the Conduent breach?

Take these steps immediately: freeze your credit with Equifax, Experian, and TransUnion to prevent new accounts from being opened in your name. Change your passwords on all important accounts. Enable two-factor authentication everywhere. Monitor your bank statements, health insurance claims, and credit report for suspicious activity. File an IRS Identity Protection PIN to prevent fraudulent tax returns.

Is Conduent offering credit monitoring to affected individuals?

Check your physical mailbox for official notification letters from Conduent or your state agency. Affected individuals in major breaches are typically offered free credit monitoring for one to two years. If you receive a notification letter, follow the instructions to enroll. Do not wait for the letter before taking the protective steps listed above — act now and treat the credit monitoring as an additional layer of protection.

Can I sue Conduent for this breach?

Class action lawsuits are common after breaches of this size. If you were affected, check whether a class action has been filed — you may be eligible to join. The Texas Attorney General’s investigation may also result in penalties or mandatory remediation. Keep any notification letters you receive as documentation.