Conduent ransomware exposes data for more than 25 million Americans, state filings show

Conduent Business Services, a major government-services and business-process contractor, is at the center of a ransomware breach that state filings filed on Feb. 26, 2026 show has exposed personal information for more than 25 million Americans. Notifications submitted by affected state agencies, notably in Texas and Oregon, indicate the incident reaches into systems that process state benefit programs and private-sector client data, creating immediate risks to individuals who depend on those services.

State breach filings do not yet present a single consolidated count by program, but they show a sharp expansion from earlier estimates and describe large cohorts of residents whose records were stored or processed by Conduent. The affected data is tied to administration of public benefits and other services, raising the possibility of interrupted payments, stalled enrollments and increased vulnerability to identity fraud among populations already facing financial strain.

Public health and community advocates warn that consequences will fall disproportionately on low-income and marginalized communities. Many of the people whose information was handled by Conduent rely on food assistance, Medicaid, unemployment and other programs for basic needs. Disruptions to verification processes or delays while agencies secure systems could delay access to care, nutrition and income that directly affect health outcomes.

Beyond immediate service interruptions, the breach amplifies long-running concerns about reliance on third-party contractors to manage sensitive government data. Conduent operates at scale for multiple states and private clients, and the filings underscore how a single contractor compromise can cascade through public systems. Privacy and equity experts argue this pattern concentrates risk in ways that regulatory frameworks have not fully addressed.

State officials have submitted the notifications required under breach laws, and agencies are moving to alert affected residents. The filings are the primary source for the current scope assessment; they typically trigger mandated consumer notices, and they will inform any regulatory or legal follow-up. The practical remedies residents will be offered and the timelines for restoring secure operations vary by state and program.

Health systems and social service providers face two intertwined challenges: protecting individuals from fraud and keeping benefits flowing. Even temporary interruptions in food assistance or Medicaid services can increase emergency department visits, worsen chronic disease control and deepen economic precarity. Marginalized communities, including those with limited English proficiency or unstable housing, may have the least access to timely notifications and help to navigate recovery steps.

The breach also sharpens policy debates about contract oversight, data minimization and accountability. Legislators and consumer advocates have for years urged clearer standards for how vendors store, partition and purge government-held personal data. The scale revealed in these filings is likely to renew calls for stricter procurement terms, regular security audits, and federal baseline rules for contractors that handle public benefits data.

For now, the priorities are notification, fraud mitigation and ensuring continuity of services. State agencies will need to coordinate outreach tailored to vulnerable populations, including clear instructions in multiple languages and active assistance to prevent gaps in benefits or care. The incident spotlights the human costs when essential public programs depend on private infrastructure that fails to withstand targeted attacks, and it raises urgent questions about how to protect the people who most rely on government safety nets.