Missouri regulators say Conduent is not cooperating in breach investigation

The Missouri Department of Commerce and Insurance is facing challenges with its investigation into a 2024 hack at Conduent Business Services, alleging that Conduent has been unwilling to provide the department with the information it needs to assess the impact of "what is reportedly one of the largest cybersecurity breaches in U.S. history," the DCI stated.

The Missouri DCI is now asking health insurance companies to come forward with information about any services they conducted through Conduent before or during the breach period, which occurred between Oct. 21, 2024, and Jan. 12, 2025, along with the nature of those services.

Conduent provides back-end processing, printing and payments services to healthcare organizations, insurers, state agencies and other organizations. The data breach occurred when an unauthorized party gained access to Conduent systems and exfiltrated files containing the personal information of clients and end users.

Current estimates put the number of impacted individuals at around 25 million, but the full extent of the data breach remains unknown more than a year after the initial intrusion. The breach impacted several Blue Cross Blue Shield locations, Premera Blue Cross in Washington, Humana and organizations in other sectors.  

The Missouri DCI issued a bulletin in March 2026, reminding insurers of their duty to report cybersecurity breaches to the DCI director and to alert impacted members of the breach by April 30.

A second bulletin, issued in May, once again reminded insurers to fulfill their obligations to consumers and the state, especially in the absence of assistance from Conduent.

"We are concerned and disappointed that Conduent has not provided sufficient information for regulators to fully assess the potential impact of this breach," DCI Director Angela Nelson said in a statement accompanying the bulletin.

"Clear and timely communication is critical in these situations, and we are continuing to seek the details needed to evaluate any risk to Missouri insurance consumers."

The DCI noted that it has been in direct contact with Conduent, but the company has not been willing to provide the department with further information about the breach.

The second bulletin urged insurers and any other regulated entity that utilized Conduent's services to contact the department's market conduct section, saying that any information it receives will guide the DCI's response to the breach.

"We are committed to using every tool available to understand the scope of this incident and to ensure Missourians have the information and resources needed to protect themselves," Nelson added.

Missouri is not the only state investigating the Conduent breach. In February 2026, Texas Attorney General Ken Paxton launched an investigation into Blue Cross Blue Shield of Texas and Conduent Business Services regarding the breach, demanding that BCBS of Texas and Conduent provide documents relevant to the investigation and evidence of their compliance with state laws.

In its most recent quarterly report, Conduent noted that it is continuing to work on consolidating the lawsuits arising from the breach. Most of the lawsuits have been consolidated into one single action in a U.S. District Court for the District of New Jersey. Conduent said in the quarterly filing that it would continue to deny the plaintiff's allegations.

"The Company has also been responding to several subpoenas, information requests, and investigations from certain governmental agencies and other stakeholders," Conduent noted. "The Company is not able to determine or predict the ultimate outcome or duration of these proceedings or reasonably provide an estimate or range of estimates of the possible outcome or loss, if any."

Jill Hughes has covered health tech news since 2021.