Buried in recent headlines was what may become one of the most significant healthcare-related data breaches in U.S. history: the ransomware attack on Conduent, a major government technology contractor.
Conduent processes Supplemental Nutrition Assistance Program (SNAP) transactions and supports government healthcare programs nationwide. Their systems reportedly touch data tied to more than 100 million people. Early last year, a ransomware group infiltrated their environment and remained undetected for 84 days.
Blue Cross Blue Shield of Montana (BCBSMT) was contracted with Conduent and was notified that it was an impacted client in January 2025. However, BCBSMT informed impacted individuals in October 2025 – nine months after learning of the incident (Security 2026). For many patients, notification letters began arriving in mailboxes only at the very end of 2025, nearly 11 months after the fact.
Source: LinkedIn, Astrid Yee-Sobraquès
What initially sounded like a “limited incident” now appears to have affected at least 25 million individuals, making it the eighth-largest healthcare-related cybersecurity breach in U.S. history.
In Texas alone, 15.4 million residents were involved – nearly half the state’s population. Oregon reports another 10.5 million. Other states are still notifying residents. The final number may climb even higher.
The stolen data reportedly includes names, Social Security Numbers, medical information, and health insurance details.
For health information management (HIM) professionals, that combination should set off alarms.
This isn’t credit-card data. This is identity-layer data, with permanent identifiers that cannot be reissued like a debit card. Social Security Numbers and medical histories enable identity theft, medical fraud, insurance billing abuse, prescription diversion, and highly targeted scams. Healthcare data remains among the most valuable commodities on the black market because it enables long-term exploitation. Consider the following:
But here is where this becomes more than a cybersecurity story.
It is a governance story.
It is an enterprise risk management story.
And it is fundamentally a stewardship story.
Most organizations view data as an asset: something collected, processed, exchanged, and leveraged. But after a breach, that same data instantly becomes a liability.
And to the individual? That data is not an asset or liability.
It is their identity.
The 84-day dwell time and 11-month notification lag expose something deeper than a technical vulnerability. They expose systemic blind spots: vendor oversight, contract language, monitoring protocols, breach rehearsal, and board-level accountability.
Conduent is a third-party processor. Many impacted individuals likely had no idea their data was stored there. This is the modern privacy challenge: your defensive perimeter ends at your organizational boundary, but your stewardship does not.
When a breach occurs, organizations pay notification costs, legal fees, regulatory fines, and public-relations expenses. When an individual’s data is compromised, they may manage the consequences for decades.
That distinction should influence how we think about vendor governance.
The envelope arriving in someone’s mailbox is a lagging indicator. By the time that notification arrives, every meaningful decision has already been made: vendor selection, contract negotiation, risk scoring, due diligence, audit rights, cyber insurance coverage, and board reporting.
The real organization-level question is not “How do we prevent a breach?”
The question is: “Who in this room is accountable for the 25 million people holding that envelope?”
In healthcare, HIM professionals sit at the intersection of compliance, privacy, security, and operational integrity. That position carries strategic influence. We are not simply custodians of records. We are stewards of identity-layer information in an increasingly outsourced, vendor-dependent ecosystem.
Jennifer Mueller, AHIMA’s Vice President, recently stated that “the health information profession is positioned at the center of healthcare transformation.” This breach demonstrates the need for our involvement in transforming the privacy and cybersecurity environment and protecting our patients’ data.
HIM, billing and patient care providers will be at the front line of identifying medical identity red flags with:
(1) Patient inquiries to access their records (and to find out who else accessed them);
(2) Inquiries such as “Why did I receive a bill for a cholecystectomy that I never had?” (a clear red flag); and
(3) Patient comments such as: “Oh, B- is not my blood type. I don’t know where that came from. My blood type is O.”
HIM professionals can demonstrate their awareness of what’s hitting and not hitting the headlines by sharing this type of information and guidance with organizational leadership, to help inform next steps and mitigation practices.
The Conduent breach is not just another ransomware headline.
It is a case study in third-party risk concentration, breach detection lag, notification delay, and the widening stewardship gap between organizations and individuals.
Closing that gap requires stronger vendor governance, continuous monitoring, contract accountability, executive reporting, and board-level rehearsal of breach scenarios before, not after, the envelope is mailed.
Because in today’s environment, cybersecurity is not just an IT function.
It is a HIM leadership responsibility.
Fox News: Kurt Knutsson, CyberGuy Report. Conduent ransomware breach allegedly affects millions across states | Fox News. https://lnkd.in/eW54CHvN 2/22/26
LinkedIn Posts: 2/23/26-2/25/26: Michael Kwinana, Eva Benn, Mark H., Astrid Yee-Sobraquès, Anjali Nair
LinkedIn News: Emma W. Thorne. Conduent data breach was far larger than first thought. 2/25/26
National Education Association Member Benefits (NEAMB). 2026. Guard Against the Growing Threat of Medical Identify Theft. https://www.neamb.com/personal-finance/guard-against-the-growing-threat-of-medical-identity-theft?utm_source=chatgpt.com
Patient Protect. 11/4/2025. Healthcare Data Breach Statistics 2025: Why Medical Records Are Worth 10× More Than Credit Cards. https://www.patient-protect.com/post/healthcare-data-breach-statistics-2025-why-medical-records-are-worth-10-more-than-credit-cards?utm_source=chatgpt.com
EDITOR’S NOTE: The narrative in this article reflects the firsthand perspectives and professional experience of Tami McMasters Gomez, curated and prepared for publication by Penny
The recent settlement between Kaiser Permanente and the federal government marks a pivotal moment in the ongoing debate over risk-adjustment practices in Medicare Advantage (MA)
Please log in to your account to comment on this article.
Sepsis sequencing continues to challenge even experienced coding and CDI professionals, with evolving guidelines, documentation gaps, and payer scrutiny driving denials and data inconsistencies. In this webcast, Payal Sinha, MBA, RHIA, CCDS, CDIP, CCS, CCS-P, CCDS-O, CRC, CRCR, provides clear guideline-based strategies to accurately code sepsis, severe sepsis, and septic shock, assign POA indicators, clarify the relationship between infection and organ dysfunction, and align documentation across teams. Attendees will gain practical tools to strengthen audit defensibility, improve first-pass accuracy, support appeal success, reduce denials, and ensure accurate quality reporting, empowering organizations to achieve consistent, compliant sepsis coding outcomes.
Expert presenters Kathy Pride, RHIT, CPC, CCS-P, CPMA, and Brandi Russell, RHIA, CCS, COC, CPMA, break down complex fracture care coding rules, walk through correct modifier application (-25, -57, 54, 55), and clarify sequencing for initial and subsequent encounters. Attendees will gain the practical knowledge needed to submit clean claims, ensure compliance, and stay one step ahead of payer audits in 2026.
Accurately determining the principal diagnosis is critical for compliant billing, appropriate reimbursement, and valid quality reporting — yet it remains one of the most subjective and error-prone areas in inpatient coding. In this expert-led session, Cheryl Ericson, RN, MS, CCDS, CDIP, demystifies the complexities of principal diagnosis assignment, bridging the gap between coding rules and clinical reality. Learn how to strengthen your organization’s coding accuracy, reduce denials, and ensure your documentation supports true medical necessity.
Denials continue to delay reimbursement, increase administrative burden, and threaten financial stability across healthcare organizations. This essential webcast tackles the root causes—rising payer scrutiny, fragmented workflows, inconsistent documentation, and underused analytics—and offers proven, data-driven strategies to prevent and overturn denials. Attendees will gain practical tools to strengthen documentation and coding accuracy, engage clinicians effectively, and leverage predictive analytics and AI to identify risks before they impact revenue. Through real-world case examples and actionable guidance, this session empowers coding, CDI, and revenue cycle professionals to shift from reactive appeals to proactive denial prevention and revenue protection.
In this timely session, Stacey Shillito, CDIP, CPMA, CCS, CCS-P, CPEDC, COPC, breaks down the complexities of Medical Decision Making (MDM) documentation so providers can confidently capture the true complexity of their care. Attendees will learn practical, efficient strategies to ensure documentation aligns with current E/M guidelines, supports accurate coding, and reduces audit risk, all without adding to charting time.
Join Ronald Hirsch, MD, FACP, CHCQM for The PEPPER Returns – Risk and Opportunity at Your Fingertips, a practical webcast that demystifies the PEPPER and shows you how to turn complex claims data into actionable insights. Dr. Hirsch will explain how to interpret key measures, identify compliance risks, uncover missed revenue opportunities, and understand new updates in the PEPPER, all to help your organization stay ahead of audits and use this powerful data proactively.
Stay ahead of the 2026-2027 audit surge with “Top 10 Audit Targets for 2026-2027 for Hospitals & Physicians: Protect Your Revenue,” a high-impact webcast led by Michael Calahan, PA, MBA. This concise session gives hospitals and physicians clear insight into the most likely federal audit targets, such as E/M services, split/shared and critical care, observation and admissions, device credits, and Two-Midnight Rule changes, and shows how to tighten documentation, coding, and internal processes to reduce denials, recoupments, and penalties. Attendees walk away with practical best practices to protect revenue, strengthen compliance, and better prepare their teams for inevitable audits.
As AI reshapes healthcare compliance, the risk of biased outputs and opaque decision-making grows. This webcast, led by Frank Cohen, delivers a practical Four-Pillar Governance Framework—Transparency, Accountability, Fairness, and Explainability—to help you govern AI-driven claim auditing with confidence. Learn how to identify and mitigate bias, implement robust human oversight, and document defensible AI review processes that regulators and auditors will accept. Discover concrete remedies, from rotation protocols to uncertainty scoring, and actionable steps to evaluate vendors before contracts are signed. In a regulatory landscape that moves faster than ever, gain the tools to stay compliant, defend your processes, and reduce liability while maintaining operational effectiveness.
Prepare for the 2025 CMS IPPS Final Rule with ICD10monitor’s IPPSPalooza! Click HERE to learn more
Get 15% OFF on all educational webcasts at ICD10monitor with code JULYFOURTH24 until July 4, 2024—start learning today!
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 1 with code CYBER25
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
