Ten Lawsuits, One Courthouse, and a Growing Plaintiff Count and this is why you need to take governance, risk, and compliance serious.
The litigation response to the Conduent breach has been swift, coordinated, and is showing no signs of slowing down. With at least ten class actions filed so far, the Conduent data breach litigation is quickly becoming one of the largest healthcare-related data breach cases to date. All cases have been filed in the U.S. District Court for the District of New Jersey. That consolidation in a single federal district is not accidental — New Jersey is Conduent’s home jurisdiction, and centralizing the litigation there sets the stage for a likely Multi-District Litigation consolidation order that would coordinate all cases before a single judge.
The Cases Filed
The docket as it currently stands includes the following actions, all pending in the U.S. District Court for the District of New Jersey:
Kennedy et al. v. Conduent Business Services LLC et al. (Case No. 2:25-cv-17233); Larson v. Conduent Business Services LLC et al. (Case No. 2:25-cv-17242); Bianco v. Conduent Business Services LLC (Case No. 2:25-cv-17177); Burwell v. Conduent Business Services LLC (Case No. 2:25-cv-17170); Fray et al. v. Conduent Business Services LLC (Case No. 2:25-cv-17137); Waters et al. v. Conduent Business Services LLC et al. (Case No. 2:25-cv-17218); Heller v. Conduent Business Services LLC (Case No. 2:25-cv-17209); Moody et al. v. Conduent Business Services LLC (Case No. 2:25-cv-17227); and Berkenfeld v. Conduent Business Services LLC (Case No. 2:25-cv-17197).
A separate action has been filed in Montana federal court. Attorneys from Western Justice Associates filed a complaint in the U.S. District Court of Montana against Health Care Services Corporation, the licensee of Blue Cross Blue Shield in five states including Montana, and the case may be combined with the New Jersey actions in multi-district litigation proceedings.
Beyond the filed cases, the proposed classes are represented by an array of major plaintiffs’ firms including Lite DePalma Greenberg & Afanador LLC, Milberg PLLC, Morgan & Morgan PA, The Dann Law Firm, Edelson Lechtzin LLP, Carella Byrne Cecchi Brody & Agnello PC, Goetz Geddes & Gardner PC, Kimmel & Silverman PC, Wolf Haldenstein Adler Freeman & Herz LLP, and Schubert Jonckheer & Kolbe LLP. The presence of Morgan & Morgan — one of the largest plaintiff personal injury firms in the country with enormous financial resources — alongside specialized data breach boutiques signals that this litigation is being resourced as a major, long-term case rather than a quick-settlement nuisance suit.
What the Plaintiffs Are Claiming
The legal theories across the various complaints are consistent and deliberately structured to survive HIPAA’s absence of a private right of action — a recurring challenge in healthcare breach litigation that plaintiffs’ attorneys have become adept at navigating.
Across the growing list of cases, plaintiffs collectively accuse Conduent of negligence, negligence per se, breach of third-party beneficiary contract, and unjust enrichment. The third-party beneficiary theory is particularly significant. The lawsuits are not filed under HIPAA, which does not provide for a private cause of action. The lawsuits claim breach of privacy and negligence. But the plaintiffs’ lawyers will cite HIPAA as the standard. If they can prove that Conduent did not comply with HIPAA or failed to meet its requirements, they will argue that this proves negligence. This strategy — using HIPAA as the evidentiary standard for negligence without relying on it as a direct cause of action — has become the template for healthcare data breach litigation, and courts have been receptive to it.
In the Berkenfeld complaint, filed November 4, 2025, plaintiff Brandon Berkenfeld alleges Conduent failed to safeguard sensitive information and did not provide timely notice to affected individuals, seeking to represent a nationwide class. In the Larson action, Eric Larson of Montana alleges that Conduent and Blue Cross Blue Shield of Montana violated HIPAA and breached fiduciary duties under the Federal Trade Commission Act.
The proposed class action lawsuits make similar claims, including that the company was negligent in failing to protect individuals’ personal information from cybercriminals. “By obtaining, collecting, and storing plaintiff’s and class members’ private information, defendant assumed equitable and legal duties to safeguard plaintiff’s and class members’ highly sensitive information, to only use this information for business purposes and to only make authorized disclosures,” alleged one of the complaints.
The Marshall complaint — one of the later-filed actions — seeks financial damages and injunctive relief “including the adoption of reasonably sufficient practices to safeguard the private information in defendant’s custody to prevent incidents like the data breach from reoccurring in the future, and for the defendant to provide identity theft protective services to plaintiff and class members for their lifetimes.” The lifetime identity protection demand is significant and reflects the permanence of the exposure — Social Security numbers, once compromised, cannot be changed, and the harm extends indefinitely.
The class action lawsuits seek class certification, compensatory and statutory damages, and injunctive relief requiring Conduent to upgrade its cybersecurity practices and monitoring protocols.
The Montana Angle: A State-Specific Disclosure Violation
The Montana litigation adds a dimension that the New Jersey cases do not have: a specific state law disclosure obligation that may have been violated. In 2023, Montana passed a law requiring businesses in the state to disclose any data breach “without unreasonable delay.” Dominic Cossi, a lawyer with Western Justice Associates representing the plaintiffs, told Newsweek that there is no indication that any of the entities involved complied with the quick disclosure law. Given that BCBS Montana did not notify impacted individuals until on or around October 2025, approximately ten months after the breach was first detected, the Montana disclosure timing argument has a factual foundation that is difficult to dispute.
Plaintiffs in the Montana case also claim that at least one plaintiff has noticed “suspicious activity” regarding her Social Security number this year — the first documented instance of actual downstream harm directly linked to the Conduent breach appearing in the litigation record. That allegation, if supported by evidence through discovery, strengthens the negligence claims significantly by demonstrating concrete injury rather than merely threatened risk.
The Defendants Beyond Conduent
While Conduent is the primary defendant in most actions, the litigation net has been deliberately cast wider to capture the client organizations whose data Conduent was processing. The following clients of Conduent have been named as defendants or co-defendants in various actions: Blue Cross Blue Shield of Montana, Blue Cross and Blue Shield of Texas, Humana, Premera Blue Cross, Wisconsin Department of Children and Families, and Oklahoma Human Services.
The inclusion of the insurance clients and government agencies reflects the third-party beneficiary theory — plaintiffs were customers of those organizations, not Conduent directly, and their relationship with the insurer or agency gives them standing to argue that Conduent’s BAA obligations ran to their benefit. Whether courts ultimately accept this theory across all cases will be one of the defining legal questions of the litigation. A ruling that insurer clients can be jointly liable for a vendor’s security failures would fundamentally reshape how healthcare organizations structure their vendor oversight programs.
What Conduent Has Acknowledged Paying
In its first-quarter earnings report, Conduent said it did not experience any material impacts to its operating environment or costs from the January 2025 cyberattack itself. However, it did incur $9 million in breach costs related to notifications by the end of September 2025 and anticipates a further $16 million in costs will be incurred by the first quarter of 2026. Conduent said it holds a cyber insurance policy and anticipates that any additional notification costs will be covered by the insurance policy. Further costs may be incurred due to the impacted data, reputational harm, litigation, and regulatory actions, which could impact the company’s financial position.
The $25 million in disclosed breach costs covers notification only. It does not include litigation defense costs, any eventual settlement or judgment, OCR civil monetary penalties, state attorney general settlements, or the reputational damage to a company whose primary commercial proposition is that it can be trusted to process sensitive data on behalf of major institutions. Strong cybersecurity practices, thorough HIPAA risk analysis, and effective risk management could have prevented a potential loss of over $50 million — and that figure was calculated before the full scale of 25 million affected individuals was confirmed.
The Credit Monitoring Deadline Every Affected Person Needs to Know
Separate from the litigation, Conduent is providing two years of free credit monitoring and identity restoration services through a third-party provider. According to breach notification letters sent starting October 2025, affected individuals must enroll by March 31, 2026. This is a firm deadline stated in Conduent’s official notification letters. The credit monitoring service includes dark web monitoring, credit report tracking from all three bureaus, identity theft insurance coverage, and fully managed identity recovery services if theft occurs. Critically: accepting free credit monitoring does not waive the right to participate in class action lawsuits or recover cash compensation if settlements are reached.
