Conduent, acting as a HIPAA Business Associate for Anthem Blue Cross, experienced unauthorized access to PHI affecting approximately 18,500 health plan members; the attack vector is unconfirmed but inferred patterns include trusted relationship abuse (T1199) and valid account compromise (T1078). No CVE is assigned; this is an operational and access-control failure at the vendor level. Covered entities with Conduent BAAs should confirm breach scope, initiate HIPAA Breach Notification Rule obligations if applicable (60-day individual notification window, HHS reporting, and media notification for breaches exceeding 500 state residents), and conduct a formal third-party risk review of all Business Associates with PHI access.