Multiple class action lawsuits are currently pending against CareFirst BlueCross BlueShield and Conduent following a massive data breach that exposed personal and health information for more than 10.5 million individuals. The breach occurred between October 21, 2024, and January 13, 2025, when unauthorized parties accessed names, addresses, dates of birth, Social Security numbers, and sensitive clinical data through Conduent’s systems. As of May 2025, no settlement has been reached and no claim compensation is available, though litigation continues in U.S.
District Court for the District of New Jersey with a Plaintiffs’ Steering Committee appointed to coordinate the effort. This breach represents one of the largest healthcare data exposures in recent years, affecting millions of people who relied on CareFirst for health insurance coverage across multiple states. For those concerned about whether they were impacted and what steps to take, understanding the timeline of events, the scope of the breach, and the current status of legal action is essential.
Table of Contents
- How Many People Were Affected by the Conduent and CareFirst Data Breaches?
- What Type of Data Was Stolen in the Conduent Breach?
- Why Did It Take So Long for People to Be Notified About the Breach?
- What Is the Current Status of the Class Action Settlement?
- What About the Change Healthcare Ransomware Attack and CareFirst?
- How Does the 2014 CareFirst Data Breach Settlement Provide Insight Into What Victims Might Expect?
- What Should Affected Individuals Do Right Now?
- Conclusion
How Many People Were Affected by the Conduent and CareFirst Data Breaches?
The October 2024 Conduent breach directly impacted more than 10.5 million individuals whose information was stored in CareFirst’s systems. This figure represents a substantial portion of CareFirst’s membership base, particularly affecting customers in the Mid-Atlantic and surrounding regions where CareFirst operates as the dominant health insurer.
The breach’s scope extended beyond CareFirst members to include individuals covered through affiliated plans and provider networks. For context on the scale of this exposure, the 2024 Conduent breach affected roughly twice as many people as the previously largest CareFirst data breach from 2014, which exposed information for approximately 1.1 million residents in DC, Maryland, and Virginia. That earlier breach took nine years to reach a certified class settlement, suggesting that victims in the current Conduent case should prepare for an extended litigation timeline.
What Type of Data Was Stolen in the Conduent Breach?
Conduent’s systems contained comprehensive personal and health information on affected individuals. The stolen data included full names, complete addresses, dates of birth, Social Security numbers, and clinical data such as diagnoses, treatment information, and health insurance details. This combination of personally identifiable information and protected health information makes the breach particularly damaging because the data can be used for identity theft, medical fraud, and targeted phishing attacks.
The inclusion of clinical information distinguishes this breach from standard data theft incidents. A stolen Social Security number is serious, but when combined with medical history and insurance details, it creates a fuller profile that criminals can exploit to impersonate victims in medical settings. For example, someone with access to a victim’s clinical records and insurance information could attempt to obtain prescriptions, schedule procedures, or file fraudulent claims under the victim’s identity. This is why affected individuals should monitor both their credit reports and their medical and insurance accounts for suspicious activity.
Why Did It Take So Long for People to Be Notified About the Breach?
A significant issue in this case is the delay in notifying affected individuals. Although Conduent detected the unauthorized access during a period from October 21, 2024, to January 13, 2025, notification letters were not postmarked until October 24, 2025—roughly 10 months after the initial breach period ended. Even after postmarking, many notification letters did not arrive until late January 2026, months after they were sent.
This delay created a window of vulnerability during which victims had no way of knowing their information had been compromised. The breach likely occurred in the final months of 2024, but people did not receive notification until nearly a year later. In some cases, notification arrived only in late January 2026, meaning victims had no opportunity to take protective measures for over 15 months after their data was stolen. The notification delay has become a specific point of contention in the 35+ class action lawsuits, with plaintiffs arguing that Conduent and CareFirst should be held accountable for the extended period during which affected individuals remained unaware of the risk.
What Is the Current Status of the Class Action Settlement?
As of the latest update in March 2026, no settlement has been reached between the parties. The Plaintiffs’ Steering Committee was officially appointed on December 22, 2025, consisting of eight members tasked with coordinating the litigation across 35+ individual class action lawsuits filed in U.S. District Court for the District of New Jersey. An amended complaint was filed on March 18, 2026, but the case remains in active litigation without a finalized settlement.
This is an important distinction for victims: unlike some class actions where settlements are already available and claim forms are open, the Conduent-CareFirst case has not yet produced any compensation opportunity. Individuals who believe they were affected should track the case status rather than expect immediate compensation. Legal action typically proceeds through several stages—motion practice, discovery, settlement negotiations, and potentially trial—before any payments are distributed. Given that CareFirst’s 2014 breach took nine years from legal filing to certified class, victims should anticipate a lengthy process ahead.
What About the Change Healthcare Ransomware Attack and CareFirst?
CareFirst BlueCross BlueShield also became an indirect victim of a major data breach when Change Healthcare, one of its critical business partners, was attacked by the ALPHV/BlackCat ransomware group in February 2024. The attack began on February 12, 2024, when attackers gained access using compromised Citrix credentials that lacked multifactor authentication, and the breach went undetected for nine days before Change Healthcare discovered the attack on February 21, 2024. During those nine days, the attackers exfiltrated approximately 6 terabytes of data before encrypting systems. Change Healthcare ultimately reported that 192.7 million individuals were affected by the ransomware attack. CareFirst’s response was immediate: the company halted all business transactions with Change Healthcare effective February 21, 2024.
To mitigate the impact on healthcare providers who depended on Change Healthcare processing services, CareFirst reallocated $25 million in investment funds to provide loans to providers facing financial hardship from the outage. CareFirst subsequently filed its own lawsuit against Change Healthcare seeking $900,000 in compensatory damages, interest, and attorneys’ fees. Court-ordered settlement discussions between CareFirst and Change Healthcare were scheduled for April 30, 2025, with U.S. Magistrate Judge Dulce J. Foster presiding. While the Change Healthcare breach is distinct from the Conduent breach, it reflects CareFirst’s broader data security challenges and the interconnected nature of healthcare infrastructure vulnerabilities.
How Does the 2014 CareFirst Data Breach Settlement Provide Insight Into What Victims Might Expect?
CareFirst’s previous data breach in June 2014 exposed approximately 1.1 million health insurance plan members in DC, Maryland, and Virginia. Although the breach occurred in 2014, the litigation process moved slowly; it was not until 2023—nine years later—that a federal judge certified the contract class for settlement purposes.
This timeline suggests that the current Conduent case, which involves significantly more people and occurred in 2024, should not be expected to reach resolution quickly. The 2014 settlement established that CareFirst would face liability for exposing health information and that class members would eventually receive compensation, though the nine-year delay demonstrates how protracted healthcare data breach litigation can be. Understanding this precedent is important for setting realistic expectations about the Conduent case timeline and for recognizing that patience and persistent claim filing will likely be necessary.
What Should Affected Individuals Do Right Now?
While the Conduent case proceeds through litigation, victims should take immediate protective steps regardless of settlement status. Begin by enrolling in credit monitoring and identity theft protection services, many of which are offered at no cost by CareFirst due to the breach. Monitor credit reports from all three bureaus—Equifax, Experian, and TransUnion—for unauthorized accounts or inquiries. Place fraud alerts with the credit bureaus and consider freezing your credit to prevent criminals from opening new accounts in your name.
Additionally, contact your healthcare providers and insurance company directly to verify that medical records and insurance accounts remain accurate and that no fraudulent claims or services have been billed to your account. Keep detailed records of any costs incurred as a result of identity theft or fraud, as these may become relevant in settlement negotiations. Finally, monitor case updates through the U.S. District Court for the District of New Jersey or through class action settlement notification websites, as the Plaintiffs’ Steering Committee will eventually announce settlement developments and claim filing information.
Conclusion
The CareFirst-Conduent data breach affecting over 10.5 million individuals remains in active litigation as of May 2026. No settlement has been reached, no compensation is currently available, and victims should not expect resolution in the near term based on CareFirst’s historical settlement timeline. However, the appointment of a Plaintiffs’ Steering Committee and the filing of an amended complaint demonstrate that the litigation is advancing, and settlement negotiations will eventually occur.
Affected individuals should prioritize protective measures now—credit monitoring, fraud alerts, credit freezes, and account verification—rather than waiting for a settlement. These steps can significantly reduce the financial and identity theft risks created by the breach. As the case progresses through 2026 and beyond, regularly check case status updates through the federal court system or official settlement notification channels, and be prepared to file a claim when settlement opportunities become available.