25.9 Million Americans’ Data EXPOSED in Huge Breach

Red warning symbol on a dark digital background — AMERICANS' DATA EXPOSED

One ransomware crew didn’t just hit a company—it cracked open a government contractor’s vault of Social Security numbers and health data tied to at least 25.9 million Americans.

Story Snapshot

Government technology contractor Conduent says a breach tied to a ransomware intrusion has grown to at least 25.9 million affected people, based on state filings and ongoing review.
Reports say exposed data can include names, Social Security numbers, and health/insurance information—exactly the mix criminals use for identity theft and medical fraud.
Texas reports about 15.4 million affected; Oregon reports about 10.5 million—an eye-catching number that exceeds Oregon’s population and is still being clarified.
Conduent says notifications will continue into spring 2026, with a call center and credit/identity monitoring offered as remediation.

How a GovTech Contractor Became a Mega-Breach Pipeline

Conduent isn’t a trendy Silicon Valley name, but it sits in the middle of everyday government services—processing and managing data for programs that touch healthcare billing, benefits administration, and other public-facing operations.

That scale matters because multiple reports describe Conduent as handling sensitive information for a population measured in the tens of millions, with some coverage pointing to more than 100 million people in its broader ecosystem. When contractors become gatekeepers, one intrusion can ripple across states fast.

Conduent data breach exposed 25 million Americans – including half of Texas https://t.co/aW2sX6icLy pic.twitter.com/6haEhlplco

— New York Post (@nypost) February 9, 2026

Reporting traces the incident to an intrusion discovered in October 2024, followed by a disruptive ransomware event in January 2025 that affected Conduent’s operations for several days.

The attacker has been identified in coverage as the SafePay ransomware group (with variations like SAFEEPAY or “Safeway” appearing in different accounts). The group reportedly claimed it stole more than 8 terabytes of data—an amount consistent with the kind of mass exposure that turns a “company breach” into a national problem.

What Was Exposed—and Why It’s a Long-Term Risk

The most alarming element isn’t just that “data was accessed,” but the type of data described in the reporting: names paired with Social Security numbers and, in some cases, medical and health insurance details. That combination can fuel credit fraud, tax scams, and medical identity theft that can haunt families for years.

Conduent has said it has not seen evidence of misuse at the time of its statements, but the absence of confirmed misuse doesn’t erase the risk when the underlying identifiers can’t simply be changed.

Conduent’s disclosures and the timeline matter for affected Americans who assume “no news is good news.” The company’s SEC-related communications described a significant exposure and a notification process stretching into 2026, while coverage says notifications began for some clients in 2025 and will continue through mid-April 2026.

That means many people may learn late that their information was part of the breach, complicating basic financial planning like refinancing, job changes, or retirement account moves.

Texas and Oregon Numbers Raise Questions That Deserve Answers

State attorney general filings have driven much of the updated victim count, with Texas reporting about 15.4 million affected and Oregon reporting about 10.5 million.

The Oregon figure has drawn scrutiny in coverage because it exceeds the state’s population, raising the possibility of duplicates, multi-state overlap, or reporting quirks tied to how records were counted. Until Oregon clarifies, readers should treat the 25.9 million tally as a minimum based on known reporting—not necessarily a final audited total.

The Accountability Gap: Contractors, Bureaucracy, and Ordinary Citizens

The breach highlights a structural problem conservatives have warned about for years: government depends on private contractors to store and process citizen data, yet ordinary Americans have little practical control over how securely that data is handled.

Conduent has emphasized analysis with outside experts and a formal notification process, and states have oversight roles through their attorneys general. But when systems are centralized and heavily digitized, families pay the price for failures they didn’t choose and can’t vote out.

For now, the most practical takeaway is defensive: watch the mail for official notices, use the offered identity monitoring if you receive it, and treat any unexpected “benefits,” “insurance,” or “government account” messages as suspicious.

Reporting indicates Conduent is using mail notifications and a dedicated call center, with remediation such as 12 to 24 months of monitoring mentioned in coverage. The frustrating reality is that Americans may be stuck playing cleanup while the final scope is still being calculated.

Data breach exposes personal data of 25M Americans

SafePay ransomware group claims to have stolen 8 terabytes of data containing personal informationhttps://t.co/wCY0tvD5oS

— The Big Bad Conservative Wolf (@RightWingNest) February 10, 2026

Policy-wise, the case is likely to intensify scrutiny on how states and federal programs vet cybersecurity for vendors that handle high volumes of sensitive records. The research also ties this incident to a broader rise in U.S. data compromises, suggesting this is not a one-off fluke but part of a pattern.

If government keeps digitizing and outsourcing without stronger guardrails, breaches like this will continue to punish law-abiding citizens—while criminals and bureaucracies move on to the next headline.