Business services provider Conduent has been issuing a wave of Conduent data breach letter notifications to impacted individuals across multiple U.S. states, following a major cybersecurity incident that was first detected in early 2025. The scale of the breach continues to unfold more than a year after the intrusion was discovered, with updated numbers showing the breadth of affected Americans expanding significantly. Notifications are being mailed to people whose personal data may have been accessed during the breach.
Keep reading for the latest verified details on what this means for your data.
The Conduent Data Breach: What Happened?
In late January 2025, Conduent identified unusual activity on its internal networks. An investigation revealed that an unauthorized third party gained access to the company’s systems starting October 21, 2024, and remained inside until January 13, 2025. The breach affected systems used to support critical operations for multiple clients, including government agencies and private firms.
In response, Conduent moved quickly to secure its environment, work with forensic experts, and begin outreach to clients and affected individuals. The company has been sending letters notifying people whose personal information may have been included in the compromised data.
What Personal Data Was Involved
According to notification letters and agency filings, the types of information that could have been exposed include:
- Full names
- Postal addresses
- Dates of birth
- Social Security numbers
- Medical service details
- Health insurance information
The exact combination of data elements varied by individual, depending on the records in Conduent’s databases.
Who Is Being Notified and Where
Conduent began mailing notification letters to impacted members and clients in late 2025, and the process has continued into 2026. These letters are being sent across a wide range of states, including but not limited to:
- New Hampshire: Initially about 11,000 residents were reported as affected, but after additional notifications, the total has grown to more than 181,000.
- Other States: Notifications have been sent in New Mexico, Texas, Delaware, Massachusetts, and beyond as part of the company’s ongoing outreach.
Each letter outlines details of the incident, describes the types of personal information that may have been exposed, and provides instructions for next steps.
Expanded Impact Figures Emerging
When Conduent first disclosed the breach, state reports indicated that the incident might have affected millions of individuals. More recent analyses suggest the total number of impacted Americans may be substantially higher. Independent reports compiled by state authorities and privacy groups have indicated that the breach could involve tens of millions of people nationwide.
This relatively large scope has prompted heightened attention from state officials and consumer advocates, as well as additional scrutiny of how private data is managed by third-party service vendors like Conduent.
Why Notification Letters Arrived Months After the Breach
There are several reasons the letters have taken so long to reach affected residents:
- Complexity of Data: Conduent had to comb through vast volumes of data across numerous client systems to identify impacted records.
- Verification Requirements: State laws require accurate identification of individuals whose personal data may have been exposed before notification can be mailed.
- Coordination With Clients: Some clients needed to reconcile Conduent’s findings with their own records before letters could be issued.
State regulatory offices publish these notification requirements to ensure individuals are informed in compliance with data breach laws.
Contents of the Conduent Data Breach Letters
Most individuals who receive a Conduent data breach letter will find:
- A description of the incident and timeline
- Types of personal data potentially exposed
- Steps taken by Conduent to secure systems
- Information about free credit monitoring services being offered
- Instructions on how to enroll in additional identity protection
Letters may also include contact information for Conduent’s dedicated support lines and instructions for individuals who believe they were affected but did not receive a notice.
What You Should Do After Receiving a Letter
If you receive a breach notification letter from Conduent:
- Read the Letter Carefully: Understand the specific data involved and the time period.
- Enroll in Identity Monitoring: Many letters include codes or instructions for free monitoring.
- Check Your Credit Reports: Obtain reports from major credit bureaus and review for unusual activity.
- Monitor Accounts and Statements: Keep an eye on financial accounts and health insurance claims.
- Report Suspicious Activity: Report fraud or identity theft to relevant authorities promptly.
Even if you don’t enroll in monitoring, you can still take proactive steps to protect your information.
Reactions From Officials and Consumers
State officials are watching how this breach unfolds. In New Hampshire, increased numbers of notifications have raised questions among advocacy groups about how third-party vendors handle sensitive data. Similar concerns are echoed in other regions where residents are receiving notices.
Consumer responses vary as well. Some who have received a Conduent data breach letter report confusion over the details or uncertainty about what steps to take to protect themselves. Others appreciate the additional monitoring support provided with their notice.
Ongoing Developments and Expectations
Conduent and regulatory authorities continue to monitor the situation. More notifications are expected to be mailed as additional records are processed and verified. Individuals who believe they may be affected but have not received a letter yet are advised to stay alert, review account statements, and stay informed about further updates.
Join the conversation — tell us if you or someone you know received a notice and what steps you’re taking moving forward.