Conduent Faces Multiple Lawsuits Over 10.5 Million-Record Data Breach

November 9, 2025HIPAA News0

The Conduent data breach that affected over 10.5 million people prompted at least 9 class action lawsuits filed in the New Jersey federal court. It is expected that more lawsuits will be filed, as several law offices have stated they are investigating potential class-action litigation.

According to the lawsuits’ claims, Conduent was negligent as it did not sufficiently secure its system against unauthorized access and it failed to deliver enough notifications to the people impacted by the data breach. Conduent first discovered the cyberattack in January 2025 after the hackers had already had access to the system for three months. Three months later, Conduent announced the data breach, stating that a significant amount of individuals’ sensitive information was compromised.

Investigating a data breach and determining the affected individuals and involved data takes time. Nevertheless, the lawsuits question the duration of that process. Conduent took 10 months from the discovery of the cyberattack to notify the affected individuals about the compromise of their sensitive data. The company started sending breach notification letters in October 2025, one year after unauthorized individuals initially accessed Conduent’s system.

Besides negligence and negligence per se, other claims in the lawsuits include unjust enrichment and breach of third-party beneficiary contract. The plaintiffs seek statutory, compensatory, and punitive damages, a jury trial, and injunctive relief, with the court mandating Conduent to enforce various security steps to adequately protect sensitive data.

The threat group responsible for the attack was probably the Safepay ransomware group. In January 2025, the group listed Conduent on its data leak site but not in its data leak blog. That usually means that the victim paid a ransom or the group sold the stolen information, though ransomware groups typically make up claims.

Class action lawsuits are increasing, and Conduent is likely to be under regulatory investigation because of the data breach. States tend to investigate big data breaches to find out if proper cybersecurity procedures were put in place in accordance with state regulations and the HIPAA Security Law. How the attackers gained access to a huge volume of sensitive data will be questioned.

The HHS’ Office for Civil Rights will likewise investigate Conduent to confirm is the data breach was caused by HIPAA compliance violations. These investigations normally take several months or years, but OCR has mentioned it is looking into high-impact incidents first, like in the Change Healthcare cyberattack that impacted about 190 million people. There is, at this time, no information that Conduent violated any laws at the government or state level.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.