Conduent, a business process outsourcing firm serving major healthcare payers and government benefit programs, suffered a ransomware attack resulting in the exfiltration of personally identifiable information and likely protected health information for at least 25 million individuals. The breach propagated through Conduent’s client ecosystem, meaning affected individuals are customers of Conduent’s downstream clients rather than Conduent directly. Organizations that contract Conduent for payment processing or back-office services face regulatory exposure under HIPAA and state privacy laws, potential civil liability, and reputational risk from a breach they did not control.