Texas Attor­ney Gen­er­al Ken Pax­ton Demands Infor­ma­tion from Blue Cross Blue Shield of Texas and Con­duent as Part of Inves­ti­ga­tion into Data Breach 

A press release from the Texas State Attorney General:

Attorney General Ken Paxton issued Civil Investigative Demands (“CIDs”) to Blue Cross Blue Shield of Texas (“BCBS”) and Conduent Business Services LLC (“Conduent”), demanding documents and information pertinent to the investigation of the Conduent data breach that exposed the sensitive personal data of approximately four million Texans.

The Office of the Attorney General is investigating the breach of Conduent’s system security that occurred between October 21, 2024 through January 13, 2025. During the breach, an unauthorized third-party accessed the protected health information of Texas residents, including Texas Medicaid recipients.

“The Conduent data breach was likely the largest breach in U.S. history. If any insurance giant cut corners or has information that could help us prevent breaches like this in the future, I will work to uncover it,” said Attorney General Paxton. “Texans deserve to know that their private health information is being handled responsibly and in full compliance with the law. My office is committed to uncovering exactly what went wrong, taking action to protect Texas families, and ensuring there is justice for any negligence.”

BCBS is one of the multiple entities affected by the Conduent data breach. As part of the investigation, Attorney General Paxton is demanding documents and evidence of BCBS’s compliance with state law in efforts to protect confidential information. Conduent’s security measures, communications, and compliance with Texas law are also under investigation.

The Conduent data breach numbers are still unknown but are growing weekly, with some media outlets estimating at least 25 million have been affected.

Texas is the second state to announce an investigation into Blue Cross Blue Shield. Montana recently announced an investigation into Blue Cross Clue Shield’s compliance with that state’s notification requirements, an investigation that the health insurer is fighting. More than 462,000 BCBS Montana members were affected by the Conduent breach. While Montana seems to be focusing on the insurer’s response to the breach, Texas seems to be investigating their data security before the breach.

With two states now investigating Conduent and BCBS, can other states — and the federal government — be far behind?