June 5, 2026, update: The number of individuals affected by the Conduent breach has risen to more than 62.2 million. When first reported last fall, the number was estimated at 10.5 million. In February, Conduent revised the number to 25.5 million.

Missouri insurance regulators are calling on Conduent to be more forthcoming about the massive data breach it announced last year.

The healthcare sector has long regarded the U.S. Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) as the primary authorities on data privacy. For years, the prevailing wisdom among HIPAA compliance officials was: “Keep the OCR happy, and the rest will follow.”

That’s no longer true. In some cases, “the rest” are leading. The latest example is Missouri’s investigation into the Conduent data breach.

Conduent is a New Jersey-based business processing outsourcing company that provides services like printing, payment, and document and claims processing to state and federal government agencies as well as large healthcare, commercial and transportation organizations. Many of its customers are healthcare covered entities, making Conduent a HIPAA business associate.

The ongoing fallout from the Conduent breach offers lessons for healthcare leadership, risk managers, and legal counsel. The Conduent breach has become a financial and legal titan, now ranked as one of the largest healthcare data breaches in history. With more than 62.2 million people affected, it ranks behind the massive Anthem breach (78.8 million) in 2015 and the unprecedented Change Healthcare cyberattack (192.7 million) in 2024.

The sheer scale of the breach is staggering, but the most critical development isn’t the number of records lost – it is the aggressive, multi-state regulatory wave closing in on the company. OCR is very likely already investigating Conduent for HIPAA Security Rule violations, but now, state regulators from Missouri, Texas, and Montana are showing that HIPAA is only one aspect of data privacy enforcement. Add aggressive private class-action lawsuits to complete the picture.

The Missouri Bulletin Warns About Stonewalling

In a rare move, the Missouri Department of Commerce and Insurance (DCI) recently issued a Director’s Bulletin that should send a chill through every HIPAA-regulated entity in the country. Although the Bulletin (Bulletin 26-03) addresses “certain business entities” involved in major breaches, the context of the Missouri investigation into Conduent makes the target clear.

The Bulletin’s tone is not collaborative but rather frustrated. The DCI indicated that it is seeking more information because the entities in question have not been “forthcoming” in responding to questions about the impact on Missouri policyholders.

For compliance officials, the takeaway is clear: Silence is treated as noncompliance.

When a state insurance regulator requests information, it typically acts under state insurance codes that grant broad subpoena powers and the authority to revoke licenses. If a company is perceived as evasive, the regulator’s focus shifts from “How did the breach happen?” to “Is this company fit to do business in our state?” From an administrative perspective, this is far more ominous than a standard OCR audit.

The Four Pillars of Liability Risk in Data Privacy

Missouri is not the only state investigating Conduent. Reports indicate that Montana and Texas have also launched investigations.

In the past, states often waited for federal findings before acting. Today, state Attorneys General (AGs) are increasingly proactive, using state-specific consumer protection laws and expansive new privacy acts, such as the Texas Data Privacy and Security Act, to launch their own independent probes.

Your compliance vulnerabilities fall squarely into four pillars of liability risk:

1. Federal Risk: HHS/OCR investigations into HIPAA Security Rule violations.
2. State Insurance Mandates: Insurance Departments (such as Missouri DCI) are investigating the impacts on policyholders and insurance market stability.
3. State Consumer Protection and Privacy: Attorneys General can investigate “unfair or deceptive trade practices” under consumer protection laws or breach of privacy under state privacy laws or HIPAA.
4. Private litigation: At least 35 class action lawsuits have been filed against Conduent and are consolidated in the federal district court in New Jersey, where Conduent is headquartered.

Why This Matters to You: Privacy Beyond HIPAA

For IT professionals or healthcare owners, it is easy to assume that if the data isn’t technically Protected Health Information (PHI) under HIPAA, the risk is lower. The Conduent investigations prove this assumption is a fallacy.

State regulators aren’t just looking for HIPAA violations. They are investigating:

• Data Security Negligence: Did the company fail to implement “reasonable” security measures as defined under state law?
• Consumer Protection: Were customers misled regarding the safety of their data?
• Insurance Practice Violations: Did the breach impair the company’s ability to meet its obligations to policyholders or to maintain its license?

Reframing Your Administrative Strategy

If you are a HIPAA compliance official or a lawyer representing healthcare entities, the Conduent investigations suggest three potential changes.

1. The “State-First” Response Plan

Your Incident Response Plan (IRP) likely includes a section on notifying the OCR and the media. Does it also include a section for notifying State Insurance Commissioners? In many jurisdictions, the notification requirements for an insurance regulator differ—and are often faster—than the 60-day HIPAA window. If your entity operates in Missouri, Texas, or Montana, you must establish a direct line of communication for state-level inquiries.

2. Transparency as a Defense

The Missouri DCI bulletin specifically highlighted a lack of forthcoming information. Administratively, when a breach occurs, your legal and PR teams must balance “protecting the record” with “regulatory cooperation.” In 2026, regulators are increasingly willing to go public with their frustrations, as Missouri did. Being perceived as a cooperative victim of a cyberattack is a far better defense than being seen as an evasive violator.

3. Vendor Due Diligence Re-Evaluation

Conduent, like Change Healthcare, is a major service provider—a “Business Associate” under HIPAA. For healthcare organization owners, the lesson is that you cannot outsource your risk. If your vendor is under investigation by three states, your organization’s data is part of that investigation.

You should be asking your vendors:

• “In the event of a breach, what is your protocol for cooperating with state-level insurance and consumer protection regulators?”
• “Can you provide a state-by-state breakdown of where our patients’ data resides?”

The Cost of Disjointed Enforcement

The Conduent breach is a significant financial burden for the company, but the real cost may stem from the “death by a thousand cuts” inherent in multi-state litigation, federal enforcement, and lawsuits.

For healthcare lawyers, the Conduent case is a cautionary reminder to treat the Missouri DCI Bulletin 26-03 as a template for future enforcement. States are no longer content to let the federal government handle data privacy. They are asserting their rights to protect their citizens and using every administrative tool at their disposal—including public shaming through bulletins—to ensure they get the answers they want.

Broaden Your Perspective to Prepare for Enforcement

As one of the largest breaches in healthcare history, Conduent was always going to attract attention. But Missouri regulators’ “not forthcoming” label indicates a shift in the relationship between the industry and the government.

Whether you are in a small practice in St. Louis or a large technical firm in Austin, the message is clear: Your compliance program must look beyond the HIPAA Security Rule. You are accountable to the states where you operate, and in 2026, those states are paying close attention.

The era of “federal-only” compliance is over. Welcome to the age of the four-front threat.