In a recent podcast interview, Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, sits down with host David Braue to discuss the recent data breach at Conduent, including the company's anticipated cost of the incident, their next steps, and more. The podcast can be listened to in its entirety below.
Welcome to the Data Security Podcast, sponsored by Cimcor. I'm your host, David Braue. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way.
You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. That's Cimcor with a C.
David: Joining us today is Scott Schober, cyber expert, CEO of Berkeley Varitronics Systems, and author of the popular books "Hacked Again," and "Senior Cyber". Scott, thanks as always for joining me today.
Scott: Yeah, wonderful to be here with you, David.
David: So, well, we've, of course, had some pretty big breaches this year. One among them is the breach of Conjuent. This is a big company that does business process services. Tell us a bit about what this company actually is, and what happened to them.
Scott: Yeah, absolutely. And this is certainly one that gets the headlines, because this one is, I would think, statistically, it's the largest breach so far in 2025 in this sector. So it really, really stands out for the 2025 year. And I think overall, I read it was the 8th largest in U.S. history, and it's according to the HIPAA Journal, so this is pretty major. And basically, Conduit Business Solutions, they experienced a cyber attack.
And this was detected some time ago, almost a year ago, which is kind of always makes you almost chuckle a little bit. Back in January 2025, and it exposed more than 10.5 million patients. Absolutely alarming when you see it took almost a year from when it was first detected till we're talking about it now. And I think that's, to me, one of the key tells that how badly broken the healthcare system is within the United States. And not to get off on a political tangent, because that's another whole subject, but… we really see how intertwined it is and how devastating it is when some of these things happen as far as breaches. They talked a little bit about some of the financial impact, which I found concerning. It mentioned that there's already $9 million in breach costs that have been incurred just in September 2025, and then, I guess, another additional $16 million that's anticipated just for the first quarter of 2026. So that's a total of about $25 million. But that doesn't include other things, David, like reputational damage, any regulatory costs, the possible litigation that's gonna come about as a result of this, so I think those things are gonna really drive up the cost of it, and they did mention, too, that they expect cyber insurance to cover most of the notification costs, which I guess that helps soften it a little bit, but that's an expensive part, and it takes a very long time before everybody is really notified. I think it was somewhere in the neighborhood of about 10 months, if I recall right, before they were able to actually notify all of those 10.5 million patients that were breached. So, this has got screaming every which way that you could imagine.
David: Well, this is… I mean, there's so much in that, and we can unpick a lot of those aspects, but one of them is this whole idea of notification.
I mean, the whole point of a notification is to provide the victims of this attack, e.g., the customers and the individuals who potentially are harmed by it, with some way to contain the damage, to figure out what's happened, and hopefully, you know, protect themselves. If you go and tell someone, you know, oh, you were hacked 10 months ago, by the way. That's not really very helpful. I mean, it is, I guess, better than not knowing, but, you know, timeliness, you would think, would be an issue here.
And we're talking about delay after delay. I mean, what were you doing a year ago, you know, when this happened? A lot changes in a year, and to be told, oh, by the way, you know, this happened then. It's amazing that, given the regulatory attention to breaches and the responsibility companies have for all this data, that they still can just, you know, kind of tell people when they feel like it. It seems to be what's happened here. Is it adequate, do you think? Is it enough?
Scott: No, I don't think it's enough, and I think it's a complete failure, unfortunately, to these poor patients that were victims of this. I neglected to mention that some of the information that was compromised, and this is very typical of most healthcare breaches were, you know, obviously their names, their date of birth, social security numbers, what type of treatment they had, what type of claims they put in, and it was multiple agencies and multiple health plans as well that were affected. So it's a pretty wide swath when we think about it. But the fallout of this, kind of to your point, was really the legal and regulatory fallout as a result of taking so long to come, you know, clean and tell people about this. So far, there are at least 9 class action lawsuits that have been filed claiming, or allegedly claiming, some degree of negligence on their part. So, obviously, then Conduent has to face investigations by OCR, which is the HHS Office for Civil Rights, and the State Attorney General, and other regulatory penalties they may have to pay, as per the HIPAA Journal reported on. So, there are a lot of other expensive things that are going to come about as a result. Anytime you get into any type of class action lawsuit, maybe they don't all come to fruition, but if you got nine of them already, get ready, roll up your sleeves, because there are going to be some work ahead of them to try to calm people down and negotiate this out, some settlements and things like that, and possible payouts. So, this is not looking very pretty here for Conduent as far as a data breach. And I think it speaks to the point, and we've talked about this before, when companies realize that they're victims of a data breach, they need to do a couple of things very quickly. And obviously, number one is figure out what happened, assess the damages, look at where the vulnerabilities were, and so on and so forth, but really come clean and tell everybody what happened. I know I'm going through cyber compliance, working with the US DOD and government, and we really have to report within 48 hours if we're breached. That's a difficult assignment. You basically have to stop everything you're doing. Dive into the network, dive into the problems, and be quick to report this to make sure that you're in compliance. Otherwise, there are fines and regulatory problems and things, many of which you're dealing with, but to me, it's not acceptable when so much time goes on, when they're talking 10+ months before everybody's notified, and we're here talking about it here today. Yet it happened when? Back first detected in January 2025.
You have to ask the one question. What were you guys doing? What took you so long? That's tragic.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. That's C-I-M-C-O-R dot com slash C-I-M-T-R-A-K.
And now, back to the podcast.
David: Tragic is a very good word for it. I mean, you know, this is the whole point of having these systems automated and digitized and all, is you should be able to get access to this information pretty quickly. They should have been able to figure out pretty quickly these people were affected, these individuals. Let's email them, at least, and just let them know, so they can protect their identities, and take some steps to do something. It was interesting that they did say, oh, you know, we have a cyber insurance policy. It's almost like companies think, oh, well, then it doesn't matter so much, you know, because we're protected. But, you know, I wonder how much of these class action lawsuits the insurance policy is going to protect. That's potentially a huge exposure for them going forward.
Scott: Yeah, and I guess, in fairness, to be transparent, because they're taking the brunt of this, obviously, which typically happens, the large guys take the brunt, there is third-party culpability, I think we have to bring into this, because if you look at all the major breaches, most of the time, it traces back, and especially in healthcare breaches, there was a stat I came across earlier, 72% of healthcare breaches trace back to third-party vendors.
Which was really kind of the key issue, what exposed Conduent to this breach. So, if you're not just keeping your own company, your own organization's cybersecurity posture tight, you have to also worry about and vet carefully anybody you do business with, these third-party vendors. Why? Because they have access to your network, to your personal information, how are they storing it, and backups, and where does the data reside, is it encrypted, so on and so forth. If they're not doing their due diligence there, then they're really culpable for that, too. And that looks like what kind of, in this case, is what happened. It wasn't necessarily they dropped the ball directly, but their third-party vendors were lax, and that's what all companies have to really be careful. Who are they partnering with? That is just as important as your own internal systems and constraints that you put into place now. Otherwise, you're a victim of all this regulatory scrutiny and lawsuits, the reputational damage, so on and so forth that we talked about.
David: And everything there is magnified as well for a company like Conduent. I mean, this is a business process outsourcer. Their job is to do stuff that big companies don't have the manpower or the interest in doing. They process large-scale health service documentation, administration, they manage toll systems, you know, things like that. Big systems where there's just a lot of data that needs to be processed. This is what they do. Over 600 government agencies and half the Fortune 100, they say. This is large-scale business, transactional stuff. And, you know, it's great for companies that want to offload that burden to a company like Conduent, because they, you know, theoretically have the infrastructure to do that. I mean, apparently, they're reasonably good at that, but it also magnifies their exposure, because you're talking about different types of data that's being held across different systems, and each type of data has its own regulatory requirements, you know, at a state and a federal level. Just a mishmash of regulations and exposure as well, I think, in the systems that are managing this.
So for that type of company, particularly, all of these things really ring true, the warnings about vetting your third-party service providers, the warnings about making sure that you have a clear reporting path and action plans when there's a breach, that sort of thing really becomes even more important when it's not just one type of data, one type of customer that you're dealing with, but over 100 million people, potentially, being affected by a breach like this.
Scott: Yeah, and it's interesting, because when we analyze different types of data breaches, and if you put them in their respective buckets, healthcare is often the most costliest industry for breaches. The average incident, and this is, again, contained within the United States we're looking at, but the average breach cost is somewhere between the neighborhood of $7 to $11 million per incident. So there's some that are much larger and some that are much less. That really helps us appreciate there are extremely high financial impacts to these healthcare breaches. For a small business, that would put most companies under immediately in the United States. Obviously, these are much larger companies within the healthcare sector, so they can absorb some of it, but I start to question, my thoughts are like: How do they absorb if an incident costs $7 to $11 million per incident? How do they start to absorb some of those costs? Well, the only way is probably raising prices, and we already know that the healthcare system is on the verge of collapsing within the United States, especially with a lot of the back and forth in politics about Obamacare, the rising costs doubling, tripling, quadrupling, possibly and back and forth between the Democrats and Republicans, and how this is going to work out, we don't know. But healthcare is very expensive, but we all need healthcare. We need good coverage. We just can't afford to pay it. And then when you hear about these breaches on top of it, it makes me wonder, who's paying for all of this? Obviously, probably each American at this point.
David: Well, this is the concern, isn't it? Because in the end, I mean, you pay in terms of the data that's compromised, you pay in terms of the need to invest in systems to protect it. It's the same story over and over again, just different actors, I suppose. This is the whole problem with that.
So, where can they go from here? And I guess people that have been affected, what should they be doing? The notifications only started coming out in October. Is this the sort of thing that people can do anything about, particularly other than just say, oh no?
Scott: You know, I wish I had some silver bullet that I could say, do this or do that, but when you look at the number of healthcare records that have been exposed, and I was curious about that. It was interesting doing a little bit of research on it. So far, they claim that more than 2.6 times the U.S. population records have been exposed. So basically, that's saying, my record, as a U.S. citizen, has been exposed two and a half times already. My information is out there. So, as a patient, as a citizen, what do I want to do? Well, I don't want to give out too much information. When I go to the doctors, and they ask me, "Oh, what's your social security number, Scott?"
I'm not going to put that down.
I'm gonna fight the system. I'm gonna limit the amount of personal information that I'm gonna divulge. And in the United States, they're actually not required to demand your social security number, and they can't tell you that you cannot be treated if you don't provide your social security number. And I had this happen to me personally several times, and I argue with them, and at the end of the day, what's the reason they keep pushing for, "Give me your social security number, give me a copy of the front and back of your driver's license," so on and so forth? It's because there's such a high percentage of people that do not pay their bill. And when you gotta go to collections, you know, somebody doesn't pay their bill, and now you've got this healthcare provider, a doctor's office or hospital, whatever, and they gotta go collect. The more information they have, the better chance they have to collect that money. So if they have all your personal information, your driver's license, your social security number, they're more apt to have success in collecting, going through an agency. And that's really why they push so hard, because there's so many people that can't afford the insurance anymore, so it's kind of a cat and mouse game back and forth, but I always tell people, at least for listeners, if you reside in the U.S., be very reluctant to divulge any personal information to your healthcare provider.
The more they have, the more they will use that against you, and to the point of this whole discussion that we're having, David, the more that that information potentially will be breached, because it's going to happen, if it hasn't already, why give them any more information that could be used in some type of cybercrime?
David: That's right, we want to hold tight and just really cross our fingers that we're not among those people that have been breached two and a half times. Maybe only twice. At this point, it's almost academic, isn't it? But we've got to at least take measures if we can, and I think people just being aware of the implications of a breach like this is so important. You know, HIPAA is there for a reason, and when these things happen, and they will happen, people need to be aware of the implications of that, which I think a lot of people probably aren't always sure about.
Scott: Yeah, I think that's a really good point. And I think one thing we didn't discuss as much is the supply chain risk. It highlights broader implications of other things that come into play. Certainly, as a consumer, someone who deals with healthcare, when we go to the doctor or whatever, we want to be very cautious, but at the same time, there is a lot of association with the risks of the supply chain. And in this particular case, with this story with Conduent, there are certain things that were very vulnerable. And they could have probably done a better job. We kind of mentioned a little bit before about the third party and all these different companies that are tied into the supply chain. They've got to really make sure they have a robust cybersecurity plan in place to protect that personal information. Otherwise, it's just gonna keep getting out there, and the costs are going to continue to rise, and there'll be no solution in sight.
David: Well, this is so, so true. Scott, thanks, as always for your time. Great to chat.
Scott: Nice talking with you there, David. Thank you so much.
David: I'm David Braue, and joining me today was Scott Schober, cyber expert, CEO of Berkeley Varitronics Systems, and author of the popular books "Hacked Again" and "Senior Cyber."
The Data Security Podcast is sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. To hear our other podcasts and to watch our videos, visit us at cybercrimemagazine.com.
