Down, down, down go Conduent’s stock prices.
Breaches by third-party vendors or business associates account for the majority of patient records breached in incidents. The 2025 Breach Barometer report, which includes more than HIPAA-covered entities, found that 77% of breached patient records resulted from business associate breaches.
Some business associate breaches affect millions of patients or consumers. In the U.S. healthcare sector, the Change Healthcare breach was the largest reported to date, affecting more than 190 million patients. Costs for the incident were estimated as $2.87 billlion, but the total cost to the firm has yet to be released.
Other third-party vendor breaches have not been as huge, but some have affected between 10 – 20 million patients each. And while many entities will survive a big breach, not all may recover quickly or fully. For example, the American Medical Collection Agency, operated by Retrieval-Masters Creditors Bureau, was a medical billing and debt collection firm. Following a 2019 breach that affected more than 24 million of its clients’ patients, the firm filed for Chapter 11. The breach had cost it two of its biggest clients, Quest Diagnostics and LabCorp, and had triggered multiple lawsuits and a multi-state suit by states attorney general.
Conduent Business Solutions Discloses a Ransomware Attack
This week, some may be wondering if, or how, Conduent Business Solutions can survive a data breach they had in 2024.
Conduent Business Solutions (“Conduent”), which started life as a spinoff from Xerox in 2017, provides transaction processing, government services, healthcare solutions, and BPO. Headquartered in New Jersey, it describes itself as “creating exceptional outcomes for our clients and the millions of people who count on them. It’s why many Fortune 100 companies and over 600 governments depend on us when it matters most.” A look at Conduent’s performance over the past year, however, suggests its results have been less than exceptional. Their stock prices have dropped significantly, and they are also defending against numerous class-action lawsuits stemming from a data breach.
A Ransomware Incident Impacts More Than 25 Million
On October 21, 2024, Conduent experienced a data breach that was not discovered until January 13, 2025, when the firm suffered a two-day outage that disrupted electronic money transfers and EBT payments.
To make matters worse, on or about February 20, 2025, the Safepay ransomware group added Conduent to its dark web leak site. They claimed to have exfiltrated 8.5 TB of data, and provided some proof of claims. They gave Conduent two days to respond or they would leak the data they claimed to have. The Conduent listing was subsequently removed. Removal of a listing often suggests, but does not prove, that the victim paid some ransom demand. And of course, even when gangs promise to delete data, there is no way of knowing that they have really and truly deleted and not kept a convenient copy somewhere.
On April 9, Conduent informed the Securities & Exchange Commission of the breach. “While the Company did not experience material impacts to its operating environment or costs from the event itself, the Company has incurred and accrued material non-recurring expenses in the first quarter related to the event based on potential notification requirements,” they stated.
Although Conduent discovered the breach on January 13, 2025 and reported something to the SEC in April, they first began notifying affected individuals in October, 2025. Conduent sent notification letters on behalf of some of its clients. Other clients submitted their own notification letters. Conduent’s breach notification template is available on the Vermont Attorney General’s website.
Inspection of HHS’s public breach tool reveals that Conduent has notified HHS on behalf of Blue Cross Blue Shield Montana, Humana, and Premera Blue Cross. Whether other reports will appear remains to be seen.
As numbers slowly dribble out, the number of people affected continues to climb. As of this week, it now appears that approximately 25 million people have been affected by the incident, based on numbers submitted to two states. We do not know the total number, however, because Conduent has not issued any statement revealing the total number affected by the breach.
And although clients and numbers are first being disclosed, Conduent is already facing a consolidated class-action lawsuit in federal court in New Jersey and investigation by the U.S. Department of Health & Human Services, and an audit of Blue Cross Blue Shield Montana’s breach response by Montana State Auditor and Commissioner of Securities and Insurance.
How many people were affected by this breach? What will it cost Conduent in incident response, lost clients, and other expenses? We do not yet know for sure. Although not all of its woes can be attributed to the data breach, the breach appears to have impacted Conduent’s financial health.
On January 13, 2025, Conduent’s stock price was $2.00. On February 19, it closed at $4.05. On February 20, after Safepay ransomware gang added Conduent to its leak site, it closed at $3.88 and continued to fall after that. Stock prices recovered a bit mid-summer, but after notifications began to go out and make news, stock prices dropped again. Conduent’s stock price closed at $1.37 on February 5. Between February 19, 2025 and February 5, 2026, Conduent’s stock had dropped approximately 65%–66%.
Could Conduent’s stock price drop be due to general economic downturns in the U.S. that we saw in wild swings as the president announced tariffs, rescinded tariffs, and made other announcements? For the same time period as in the previous figure, the Nasdaq index was going up throughout the summer and not dropping like Conduent’s price did towards the end of the year. From February 19, 2025 to February 5, 2026, Between February 19, 2025, and February 5, 2026, the NASDAQ Composite index increased by approximately 12.39%.
Whether Conduent Business Solutions will continue as is remains to be seen. Analysts note that Conduent may be negotiating to be bought out, and there have been hints of a buyout or interest in being bought out since February 2025.
