HIPAA/HITECH
,
Standards, Regulations & Compliance

Why Are Third-Party Vendor Breaches So Hard to Figure Out?

Marianne Kolbasuk McGee (HealthInfoSec) •
January 6, 2026    

Conduent Hack Victim Count Soars by at Least 50%
Conduent has updated its breach report to Texas regulators, saying a 2024 hack has affected nearly 14.8 million Texans in the Lone Star state alone. The company had previously reported that 10.5 million were affected nationwide. (Image: Conduent)

The victim tally of a 2024 hacking incident at medical services provider Conduent again soared after a new regulatory disclosure by the company, in this case to Texas authorities. The company told Lone Star state officials the breach affected nearly 14.8 million Texans, alone.

See Also: OnDemand Webinar | Navigating Complex Compliance Requirements with Identity Governance and Administration (IGA)

That figure boosts by nearly half the previous total of 10.5 million people nationwide that Conduent said have been affected by the hack.

Some experts say the difficulty in accurately counting the number of people affected in large vendor health data breaches is a persistent struggle for many companies, often due to the long list of clients and their own individual customers.

“This is a significant risk across the healthcare sector with payers, providers, suppliers and research entities,” said Steven Adler, partner at consulting firm The Edmund Group and risk management executive at health insurer Humana.

New Jersey-based Conduent initially disclosed the incident to investors last April (see: Lawsuits, Investigations Piling Up in Conduent Hack).

Conduent clients linked to the hack include insurers Blue Cross and Blue Shield of Texas, Blue Cross and Blue Shield of Montana, Premera Blue Cross and Humana, as well as some state government agencies, including Wisconsin Department of Children and Families (see: Montana Officials Looking into BCBS Breach Tied to Vendor).

Blue Cross and Blue Shield of Texas in a statement to Information Security Media Group in November said Conduent, which provides mail room and other services to the insurance company, had notified insurer that “some” of its member data was affected by the cyber incident. It did not immediately respond to a Tuesday request for comment.

Conduent provides a wide range of back office services to businesses and governments in 22 countries. It launched in January 2017 when Xerox spun off its business services division, creating two separate publicly traded companies.

In its April disclosure, Conduent said that on Jan. 13, 2025, it experienced an operational disruption and learned that a threat actor gained unauthorized access to its network.

An investigation determined that the unnamed threat actor exfiltrated a set of files “associated with a limited number of the company’s clients,” Conduent told investors.

Conduent in a statement to ISMG on Tuesday said the company agreed to send notification letters, on behalf of its customers, to individuals whose personal information may have been affected by the hacking incident and has set up a call center to address consumer inquiries.

Darkweb monitoring platform Ransomware.live found that ransomware gang SafePay in February 2025 listed Conduent on its dark website as one of its victims, allegedly threatening to publish 8.5 terabytes of the company’s stolen data.

Conduent did not immediately respond to a request for additional details involving the hacking incident.

Third-Party Vendor Factors

Conduent is not the first breached third-party vendor that’s had to update its victim count repeatedly – by the millions – in large hacking incidents.

UnitedHealth Group’s IT services unit Change Healthcare filed several breach reports to regulators before landing on the final record-breaking count of 193 million people affected by its February 2024 ransomware attack.

Data complexity and aggregation are among the toughest challenges for third-party vendors when sorting out the information and victims affected in major security incidents, some experts said.

“Many third-party vendors, especially those operating at scale, support dozens, hundreds, or even thousands of covered entities, often through shared platforms and multi-tenant environments,” said Dave Bailey, vice president of consulting services at privacy and security firm Clearwater.

“Data from multiple clients can be co-mingled, replicated across systems, or passed through downstream integrations, making it extremely difficult to trace precisely which records were accessed, exfiltrated, or altered during an incident.”

HIPAA covered entities often still underestimate the security risk posed by their vendors, Bailey said.

“Many organizations still assess vendors as if breaches are unlikely events,” he said. “In reality, breaches should be treated as an inevitability, and the focus should be on blast-radius reduction, resilience and rapid response. That means understanding what data a vendor truly needs, how long they retain it, and how quickly an incident can be detected and contained.”

Adler said that healthcare sector organizations sometimes overlook key areas of risk posed by their critical third parties.

“Covered entities spend a significant amount of time assessing their suppliers’ cyber hygiene, but there also needs to be just as important of a review during due diligence and ongoing monitoring of supplier behaviors in the marketplace,” he said. “This could include changes in leadership, regulatory action, litigation, 8K filings and of course data breaches. These adverse behaviors should be important to any covered entity.”

The Conduent incident as of Tuesday appears on track to rank as at least the second largest health data breach reported in 2025, behind the hack on supplemental health insurer Aflac, which affected 22.7 million.