"To date, Conduent has been unwilling to provide the department with the information needed to assess the impact of what is reportedly one of the largest cybersecurity breaches in U.S. history," Missouri's Department of Commerce and Insurance (DCI) said in a public notice — a blunt charge that has widened a probe into a cybersecurity incident affecting "25 million-plus" people, according to filings and public statements from the company.
Missouri DCI demands information and flags consumer risk
The Missouri DCI published a public request asking insurers to report "about any services utilized through Conduent Business Services or its affiliates" after Conduent disclosed a cybersecurity incident. The state said investigators have been in direct contact with Conduent since March and had earlier urged insurers that use Conduent to determine whether their members were affected and "to ensure that their members have been notified by Conduent."
Angela Nelson, the DCI director, said in a statement: "We are concerned and disappointed that Conduent has not provided sufficient information for regulators to fully assess the potential impact of this breach. Clear and timely communication is critical in these situations, and we are continuing to seek the details needed to evaluate any risk to Missouri insurance consumers." The department also warned consumers "to remain alert and take proactive steps to safeguard their personal information as the investigation continues."
Conduent’s public disclosures and corporate position
Conduent, a spinoff of Xerox that provides mailroom and document processing services, payment integrity services and other back-office support — including receipt of insurance claim forms — first publicly disclosed the incident in an April 2025 filing to the U.S. Securities and Exchange Commission. The company said it discovered the incident on Jan. 13, 2025, and its investigation found hackers had access to Conduent servers from Oct. 21, 2024, to Jan. 13, 2025.
Conduent estimated in a February filing to Wisconsin regulators that the breach affected "25 million-plus" individuals nationwide. The company told ISMG that it "is committed to cooperating with the DCI to the extent it can do so without violating any laws, regulations, or contractual obligations." Conduent also said the affected unit, Conduent Business Services, "is not a licensee with DCI" and that it "does not have visibility regarding which of its clients are licensees with DCI, and it has no authority to speak with DCI on behalf of any clients."
Conduent said it agreed to provide notice on behalf of its clients and informed clients that the DCI asked licensees with affected Missouri residents to submit reports to the department. "We also informed DCI that we support their bulletin plan to communicate directly with its licensees, and we will continue to respond to DCI’s requests as appropriate," the company said.
Scope of the incident and external signs: SafePay listing and data types exposed
Security monitors and filings indicate the incident was substantial. Darkweb monitoring platform Ransomware.live reported that ransomware gang SafePay listed Conduent on its dark web leak site in February 2025, threatening to publish 8.5 terabytes of stolen data. Conduent’s own disclosures and regulator filings note that potentially compromised information includes names, addresses, dates of birth, Social Security numbers, health insurance details and medical information.
Legal and regulatory fallout is already mounting: Conduent faces numerous proposed civil class action lawsuits tied to the incident, and several states — including Missouri, Montana and Texas — have publicly launched investigations.
Other probes and legal pressure: Texas subpoenas and expert commentary
In February, Texas Attorney General Ken Paxton said his office served Blue Cross Blue Shield and Conduent with an administrative subpoena seeking evidence of compliance with Texas protections for confidential information. Paxton described the incident as "the largest data breach in U.S. history," even as the reporting noted the 2024 Change Healthcare ransomware attack affected 193 million people.
Industry and legal experts quoted in coverage framed Conduent’s stance as potentially rooted in uncertainty rather than obstinacy. Steven Adler, a partner at The Edmund Group and a former risk management executive at Humana, said if Conduent appears uncooperative, "it may most likely be their inability to answer key questions with confidence" — including the total number of consumers affected, the identifiers exposed, and whether fourth parties were impacted. Adler also said Conduent "very likely" is under scrutiny by federal investigators, "including the U.S. Department of Health and Human Services' Office of Civil Rights."
Regulatory attorney Paul Hales of Hales Law Group predicted the breach will present "sophisticated legal, strategic, business, public relations and political problems" for years to come.
What this means for insurers, consumers, and regulators
- Insurers: Firms that contracted services from Conduent will be asked by Missouri to report whether they used Conduent services for Missouri residents and to confirm notification status; they may also face subpoenas or parallel state inquiries, as seen in Texas.
- Consumers: Individuals potentially affected — Conduent and state filings cite names, Social Security numbers, insurance and medical details as possible exposures — are being told by Missouri to remain alert and safeguard personal information.
- Regulators: Missouri’s DCI has publicly criticized Conduent’s level of disclosure and continues to press for information; state investigations in multiple jurisdictions and proposed litigation indicate coordinated scrutiny across legal and regulatory channels.
The record in public filings and state statements shows a company confronting a large-scale intrusion while regulators press for clearer answers. Missouri continues to demand disclosure from Conduent and insurers; Conduent says it will cooperate "to the extent it can" and will continue to respond "as appropriate." Whether that stance satisfies state investigators, courts and affected consumers is now the central unresolved fact in this unfolding case.
Original reporting: Missouri Alleges Conduent is Stonewalling State on Hack — GovInfoSecurity
