What is the Conduent data breach?

The Conduent data breach was a ransomware attack by the SafePay cybercriminal group that compromised the network of Conduent Business Services LLC between October 21, 2024 and January 13, 2025. Attackers remained undetected for 84 days and stole approximately 8.5 terabytes of data. As of February 2026, more than 25 million Americans have been confirmed as victims, making it the largest U.S. healthcare data breach of 2025 and the eighth largest in recorded history.

What data was stolen in the Conduent breach?

The Conduent breach exposed full names, Social Security numbers, dates of birth, residential addresses, health insurance plan details, medical treatment information, claims data, and in some cases financial account information. This data was tied to customers of major insurers including Humana, Premera Blue Cross, Blue Cross Blue Shield of Texas, Blue Cross Blue Shield of Montana, and BlueCross BlueShield of Tennessee, as well as state government agency clients.

Who is the SafePay ransomware group?

SafePay is a Ransomware-as-a-Service (RaaS) cybercriminal group that claimed responsibility for the Conduent attack in February 2025. The group listed Conduent on its dark web data leak site and threatened to publish 8.5 terabytes of stolen data unless a ransom was paid. Conduent was subsequently removed from the site, suggesting a ransom payment or data sale may have occurred. SafePay uses MITRE ATT&CK techniques including credential abuse (T1078), lateral movement, and large-scale data exfiltration prior to ransomware deployment.

Does the Conduent breach affect Las Vegas businesses?

Yes. While Conduent is headquartered in New Jersey, the breach directly affects any Las Vegas or Nevada business that uses third-party vendors for HR administration, healthcare billing, employee benefits processing, or government services — the exact functions Conduent provides. Las Vegas resorts and casinos with large employee benefit plans, healthcare providers, legal firms processing PHI, and government contractors all face analogous third-party vendor risk. Under HIPAA and Nevada's data breach law (NRS 603A), organizations are responsible for ensuring their vendors protect data appropriately.

What should my Las Vegas business do after the Conduent breach?

Las Vegas businesses should take three immediate steps: (1) Conduct an emergency vendor risk audit — demand SOC 2 Type II reports, signed BAAs, and incident response documentation from every vendor that touches your data. (2) Harden internal controls — enforce MFA on all vendor access points, implement privileged access management (PAM), and deploy 24/7 SIEM monitoring to detect anomalous activity. (3) Execute a breach notification readiness review — map your data flows, know your HIPAA and Nevada NRS 603A notification deadlines, and test your incident response plan. Contact CMIT Solutions of Las Vegas for a no-obligation Vendor Risk Assessment.

What are the legal consequences of the Conduent breach?

As of early 2026, Conduent faces more than 10 federal class action lawsuits consolidated in the U.S. District Court for the District of New Jersey. Investigations have been launched by the Texas Attorney General, Montana Attorney General, and the HHS Office for Civil Rights (OCR). Conduent has already incurred $25 million in direct breach response costs, with total projected exposure estimated at over $50 million when legal and regulatory penalties are included.

Conduent Data Breach Exposes 25 Million Records: What Las Vegas Businesses Must Do Right Now

SafePay ransomware breached Conduent Business Services, exposing 25M+ records including SSNs and PHI. Las Vegas businesses using third-party vendors are at risk. Here's your action plan.

Posts > New Post > HTML / Text Editor
URL SLUG: /conduent-data-breach-las-vegas-businesses
============================================================ –>

⚠️ THREAT LEVEL: CRITICAL | AFFECTED SECTORS: Healthcare, Insurance, Government, Any Organization Using Third-Party Vendors
The SafePay ransomware group breached Conduent Business Services, a Fortune 500 HIPAA Business Associate, and remained undetected inside their network for 84 consecutive days. As of February 2026, more than 25 million Americans have been confirmed victims. If your Las Vegas organization relies on any third-party vendor for payroll, benefits administration, healthcare billing, or document processing — this breach is a direct warning for you.

Executive Summary: What Happened and Why It Is Critical

Between October 21, 2024 and January 13, 2025, cybercriminals operating under the SafePay ransomware group maintained unauthorized access to the internal network of Conduent Business Services LLC — a Xerox spin-off providing back-office processing services to major healthcare insurers, state government agencies, and Fortune 100 companies. Conduent first detected “an operational disruption” on January 13, 2025, and publicly disclosed the breach in an SEC 8-K filing in April 2025.

What initially appeared to affect approximately 4 million individuals has since grown to over 25 million confirmed victims, making this the largest U.S. healthcare-related data breach of 2025 and the eighth-largest in recorded history. The attackers exfiltrated an estimated 8.5 terabytes of data, including the most sensitive categories of personal and medical information.

For Las Vegas business owners: This is not a distant healthcare problem. It is a third-party vendor risk problem — and every organization in the Las Vegas Valley that uses an external company to manage HR, benefits, billing, or data processing faces the same structural vulnerability that Conduent exposed.

Technical Details: The Anatomy of the Attack

Attack Timeline

October 21, 2024: Initial network intrusion — SafePay gains unauthorized access to Conduent’s enterprise environment.
Oct 21, 2024 – Jan 13, 2025 (84 days): Active dwell time — the threat actor performs reconnaissance, moves laterally, and stages data exfiltration. This is consistent with MITRE ATT&CK Tactic TA0009 (Collection) and TA0010 (Exfiltration).
January 13, 2025: Breach discovered following service disruptions reported by client state agencies, including the Wisconsin Child Support Trust Fund.
February 2025: SafePay adds Conduent to its dark web data leak site, threatening to publish 8.5 TB of stolen data unless a ransom is paid. Conduent is subsequently removed from the site — strongly suggesting a ransom payment or data sale occurred.
April 2025: Conduent files SEC 8-K disclosure. First public acknowledgment of the breach.
October 2025: Oregon AG breach report confirms 10.5 million individuals affected.
February 2026: Conduent notifies Wisconsin regulators the victim count has reached “25 million-plus” nationwide.

Data Compromised

Full legal names and residential addresses
Social Security Numbers (SSNs)
Dates of birth
Health insurance plan details and member IDs
Medical treatment information and claims data
In some cases: financial account details and government benefit program data

Confirmed Affected Organizations

Humana — top 5 U.S. health insurer (number of members affected: TBD)
Premera Blue Cross — largest health insurer in the Pacific Northwest
Blue Cross Blue Shield of Texas — 4 million+ Texans affected
Blue Cross Blue Shield of Montana — approximately 462,000 members affected
BlueCross BlueShield of Tennessee — confirmed affected, count TBD
Wisconsin Department of Children and Families — service disruptions to child support payments
Volvo — approximately 17,000 employees and affiliated individuals affected
Additional HIPAA-covered entities and government agencies: not yet fully disclosed

Threat Actor Profile: SafePay Ransomware Group

Classification: Ransomware-as-a-Service (RaaS) operator
Primary MITRE ATT&CK TTPs observed:
- T1190 – Exploit Public-Facing Application (likely initial access vector)
- T1078 – Valid Accounts (credential abuse for persistence)
- T1486 – Data Encrypted for Impact (ransomware deployment)
- T1041 / T1048 – Exfiltration over C2 Channel / Alternative Protocol
- T1657 – Financial Theft (ransom negotiation)
Forensic investigators engaged: Palo Alto Networks Unit 42
No specific CVE has been publicly disclosed as the root cause. The attack leveraged unauthorized enterprise access — meaning insider threat controls, network segmentation, and privileged access management (PAM) all failed or were absent.
NIST CSF Risk Category: IDENTIFY (ID.SC) — Supply Chain Risk Management failure

Financial Impact to Conduent (as of May 2025)

Direct breach response costs: $25 million and rising
Federal class action lawsuits filed: 10+ in U.S. District Court, District of New Jersey
Investigations launched by: Texas AG, Montana AG, and HHS Office for Civil Rights (OCR)
Total projected exposure (legal + regulatory + remediation): estimated $50 million+

The Risk to Your Las Vegas Business: Why CEOs Must Care

CEO Alert: The Conduent breach is not just a healthcare story. It is the definitive case study for why your vendor relationships are your biggest unmanaged cybersecurity liability.

The Third-Party Vendor Blindspot

Most Las Vegas businesses — from Strip resort operators managing 10,000+ employee benefit plans, to downtown law firms outsourcing document processing, to medical practices using billing clearinghouses — share a common vulnerability: they extend implicit trust to vendors who touch their most sensitive data. Conduent is the proof of concept for what regulators and insurers have been warning about for years.

Under the HIPAA Security Rule (45 CFR §164.308(b)), a covered entity is legally responsible for ensuring that every Business Associate maintains appropriate safeguards. If your billing company, HR processor, or benefits administrator is breached, the regulatory exposure lands on you — not just them. The HHS Office for Civil Rights doesn’t care that “it was the vendor’s fault.”

Why Las Vegas Is Specifically Exposed

Gaming and Hospitality: Las Vegas resorts operate 24/7/365 with massive workforce management needs — many contract with third-party BPO providers for HR, payroll, and benefits administration. These are exactly the types of Conduent clients affected.
Healthcare Ecosystem: Las Vegas has experienced explosive healthcare growth, with major health systems relying on third-party billing and administrative services. A Conduent-style breach at any one vendor cascades across dozens of providers.
Legal and Professional Services: Nevada law firms handling workers’ compensation, personal injury, and employment law frequently process PHI and PII through third-party case management and document services.
Government Contractors: Nevada state agencies and Clark County rely on contractors for social services administration — the same sector devastated in the Conduent breach (Wisconsin DCF, Oklahoma DHS).
Remote and Hybrid Workforce: Las Vegas companies with distributed workforces have expanded their vendor footprint dramatically since 2020, increasing the number of third-party access points into sensitive systems.

The Ransomware Dwell-Time Problem

The most alarming aspect of the Conduent breach is not the data stolen — it’s the 84-day dwell time. Threat actors were inside the network for nearly three months before anyone noticed. According to the 2024 Verizon Data Breach Investigations Report (DBIR), the median ransomware dwell time before detection is 24 days. SafePay operated for more than three times that window — moving laterally, mapping data, and staging exfiltration completely undetected. Your endpoint detection tools alone will not catch this. You need behavioral analytics, network segmentation, and 24/7 SOC monitoring.

Your 3-Step Mitigation Plan: What To Do This Week

Step 1 — Conduct an Emergency Vendor Risk Audit (Days 1–3)

Pull your complete vendor inventory. For every third-party provider that touches your data, demand answers to the following NIST SP 800-161 (Supply Chain Risk Management) questions:

Do you have a current, signed Business Associate Agreement (BAA) in place? Is it compliant with the 2013 HIPAA Omnibus Rule?
Can your vendor provide evidence of their most recent SOC 2 Type II audit report? When was it last completed?
What is their average time-to-detection for unauthorized access? Do they have 24/7 Security Operations Center (SOC) monitoring?
How is your data segregated from other clients in their environment? (The Conduent breach suggests a multi-tenant environment without adequate segmentation.)
Do they carry cyber liability insurance, and what is the coverage limit?
What is their Incident Response Plan (IRP), and when was it last tested?

Step 2 — Harden Your Internal Controls Against Third-Party Lateral Movement (Days 4–10)

Even if the breach originates at a vendor, attackers frequently use compromised vendor credentials to pivot into your internal network. Apply these CISA-recommended zero-trust controls immediately:

Enforce Multi-Factor Authentication (MFA) on every vendor portal, VPN, and remote access point — no exceptions. CISA’s Known Exploited Vulnerabilities (KEV) catalog shows credential abuse as the #1 initial access vector in 2024.
Implement Privileged Access Management (PAM): Vendor accounts should operate on a just-in-time (JIT) access model — access granted only when needed, automatically revoked after the session ends.
Network Micro-Segmentation: Your vendor’s access should be restricted to only the systems they explicitly need. A billing vendor should never have lateral access to HR systems, and vice versa.
Deploy a SIEM with behavioral baselines: SafePay’s 84-day dwell time would have been visible as anomalous data staging and exfiltration patterns in a properly tuned SIEM. Alert on large-volume file access events and after-hours data transfers.
Review and revoke stale vendor credentials: Run an immediate audit of all active third-party accounts. Disable any vendor account not actively used in the last 30 days.

Step 3 — Execute Your Breach Notification Readiness Review (Days 11–14)

If a vendor breach exposes your customers’ PHI or PII, your clock starts immediately. Failing the notification timeline is a separate HIPAA violation on top of the original breach.

Know your notification deadlines: HIPAA requires covered entities to notify affected individuals within 60 days of discovering a breach. Nevada’s data breach law (NRS 603A) requires notification “in the most expedient time possible.”
Map your data flows: Use a data flow diagram to document exactly what PHI and PII your vendors store, process, or transmit on your behalf. You cannot notify affected individuals if you don’t know what data was exposed.
Test your Incident Response Plan: Conduct a tabletop exercise specifically simulating a vendor-originated breach. NIST SP 800-61 (Computer Security Incident Handling Guide) provides the framework. CMIT Solutions can facilitate this exercise for your Las Vegas team.
Verify your cyber insurance policy: Confirm that your policy covers third-party/vendor-originated breaches and business interruption from vendor outages. Many policies have exclusion clauses that catch business owners off guard during claims.

How CMIT Solutions of Las Vegas Protects Your Business

The Conduent breach is a textbook example of why reactive cybersecurity is not a strategy — it’s a liability. At CMIT Solutions of Las Vegas, we help Southern Nevada businesses build proactive, layered defenses that address the exact gaps this breach exposed:

Vendor Risk Management Program: We build and maintain your vendor security questionnaire process, BAA tracking, and third-party audit schedule — so you always know the security posture of every company that touches your data.
24/7 Managed Detection and Response (MDR): Our Security Operations Center monitors your environment around the clock, detecting the behavioral anomalies — like the large-scale data staging SafePay performed inside Conduent — that signature-based tools miss.
HIPAA Compliance Management: For Las Vegas healthcare providers, insurers, and their business associates, we conduct full HIPAA risk analyses under 45 CFR §164.308(a)(1) and deliver documented remediation plans that satisfy HHS OCR scrutiny.
Zero-Trust Network Architecture: We design and implement network segmentation and PAM solutions that contain a vendor compromise before it becomes a company-wide catastrophe.
Incident Response Planning and Tabletop Exercises: We test your team’s response before an attacker does.

Las Vegas businesses don’t get a second chance at a first breach. Schedule a no-obligation Vendor Risk Assessment with Adam Lopez and the CMIT Solutions of Las Vegas team today.

📞 Call us: (702) 725-2877 | 🌐 cmitlasvegas.com | 📧 info@cmitlasvegas.com

Original Source & Further Reading

This analysis builds on investigative reporting by the editorial team at The HIPAA Journal, the leading independent authority on HIPAA compliance and healthcare data security, as well as corroborating reporting from GovInfoSecurity and ISMG:

Adam Lopez is the owner of CMIT Solutions of Las Vegas, a managed cybersecurity and IT services provider serving Southern Nevada businesses. This post is for informational purposes and does not constitute legal or compliance advice. For HIPAA-specific guidance, consult a qualified healthcare compliance attorney.

Back to Blog