Conduent, Inc. (Conduent), a provider of back-office services in healthcare, reported that a cyberattack in October 2024 may have compromised the personal information of 10.5 million people. This incident is the largest healthcare data breach of 2025 so far, nearly twice the size of the Yale New Haven Health breach, which affected 5.5 million.

In addition to financial losses, Conduent now faces multiple federal class-action lawsuits and a HIPAA investigation by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Conduent is a leading provider of business services in banking, healthcare, transportation, government, and manufacturing. Spun off from Xerox in 2017, Conduent now generates over $3.1 billion in annual revenue and employs 56,000 people globally.

As a provider of business services to healthcare organizations and insurers, Conduent is a HIPAA business associate and must adhere to HIPAA regulations.

The Right Safeguards Maintain Trust

The healthcare ecosystem relies on trust and privacy. Patients expect their providers, insurers, and partners to protect their most sensitive personal information. Under HIPAA, regulated entities must carefully safeguard this protected health information (PHI). When healthcare organizations break that trust—especially on a large scale—the consequences are quick, severe, and very costly.

The recent incident at Conduent serves as a stark, multi-million-dollar warning for every organization handling PHI, from small medical practices to large-scale business associates (BAs) and government contractors. A single security breach affected over 10.5 million individuals and quickly escalated from a security event to a full-blown legal and financial crisis.

Strong cybersecurity practices, thorough HIPAA risk analysis, and effective risk management could have prevented a potential loss of over $50 million.

The Anatomy of a Mega-Breach: A Cautionary Tale

In January 2025, Conduent experienced “an operational disruption.” An investigation showed that a cyber threat actor had gained unauthorized access to the company’s network in October and remained there for 12 weeks, from October 21, 2024, through January 13, 2025.

The scale of the breach was immense. Early reports showed that over 10.5 million people had their personal and health information possibly exposed. The data involved varies by individual but includes names, Social Security numbers, medical details, and health insurance information. Although not every data point was present for each person, the inclusion of identifiers like Social Security numbers greatly increased the risk of identity theft for millions.

Conduent’s Financial Losses

The immediate financial impact on the company was significant, with Conduent reporting about $25 million in direct response costs alone. These initial expenses include forensic investigations, system restoration, and the complex, time-consuming process of analyzing affected files to identify every compromised individual. This cost does not even account for the long-term expenses related to regulatory fines, legal fees, or settlement payouts.

Conduent’s latest SEC filing shows an extra $9 million in losses from breach notifications through September and $16 million in costs related to breach notifications expected by the first quarter of 2026. However, the company anticipates that its cyber insurance policy will cover any additional notification expenses.

Business Associate Due Diligence

It is important to understand the exact nature of the failure: the incident did not involve a direct breach of the customers’ IT systems, such as those of Premera or Blue Cross Blue Shield of Texas. Instead, the vulnerability lay with their third-party business associate, Conduent. This underscores a critical, often-overlooked aspect of the HIPAA Security Rule: the risk posed by vendor negligence.

From the perspective of regulators and, more importantly, in the context of civil lawsuits, the obligation to protect PHI extends across the entire supply chain. If your business associate fails, it affects you, your reputation, and your shared regulatory responsibilities.

The Real Cost of Non-Compliance: Legal Risks

While the financial cost of a breach is immediate, the legal repercussions tend to be more long-lasting and arguably more damaging. The severity of the Conduent breach caused an immediate spike in proposed federal class-action lawsuits. Within days of the public disclosure, at least nine separate class-action suits were filed against Conduent, with additional law firms publicly announcing investigations for further legal action.

The main argument in these lawsuits is straightforward yet severe: negligence.

Litigation filed against the company claims that Conduent did not take reasonable steps to secure highly sensitive private data of individuals. By collecting, obtaining, and storing this data, the company took on legal and ethical responsibilities to protect it. The complaints allege that failing to meet these responsibilities allowed hackers to breach the systems and steal the data.

Failure to Follow HIPAA Equals Negligence

This legal stance strongly suggests a failure to comply with the HIPAA Security Rule. The lawsuits are not filed under HIPAA, which does not provide for a private cause of action. The lawsuits claim breach of privacy and negligence. But the plaintiffs’ lawyers will cite HIPAA as the standard. If they can prove that Conduent did not comply with HIPAA or failed to meet its requirements, they will argue that this proves negligence.

The Security Rule requires covered entities and their business associates to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). When a breach occurs due to a lack of basic protections, it serves as strong evidence of negligence in a court of law.

Plaintiffs in these class actions are not just seeking compensation for damages already suffered; they are pursuing lifetime identity theft protection services, substantial financial damages, and injunctive relief. Injunctive relief refers to a court order requiring the company to implement “reasonably sufficient practices to safeguard the private information” to prevent future incidents. In essence, the plaintiffs are demanding a comprehensive, costly, and mandatory security overhaul—a direct consequence of the initial failure to comply.

This is the key lesson: Proactively investing in HIPAA compliance is your most effective tool to prevent lawsuits. When you can show reasonable, thorough, and documented adherence to the Security and Privacy Rules, it becomes much harder for plaintiffs to prove negligence. On the other hand, a weak security system is a gift to plaintiffs’ attorneys.

HIPAA Compliance: Your Essential Roadmap

The Conduent case highlights several essential compliance items that every organization handling PHI must prioritize.

Risk Analysis and Risk Management: A documented, comprehensive risk analysis is the foundation of the HIPAA Security Rule. Organizations must continually identify, evaluate, and implement measures to reduce risks and vulnerabilities to ePHI. An operational disruption and three months of unauthorized access indicate a failure in basic risk management controls.

Access Control and Monitoring: The hackers had access for nearly three months. Implementing strong access controls, network segmentation, multi-factor authentication, and continuous monitoring (including 24/7 security event logging) is crucial to detecting and stopping threats before they escalate into multi-million-record disasters.

Business Associate Agreements (BAAs): Covered Entities must not only have a BAA in place but also perform thorough due diligence and ongoing monitoring of their Business Associates. The BAA is the contract that obligates the BA to HIPAA standards, but it is not a substitute for auditing their security measures. The entity that hires the BA remains responsible for shared regulatory oversight.