On February 12, 2026, Texas Attorney General Ken Paxton thrust the state into the national spotlight by launching a sweeping investigation into what he described as potentially the largest data breach in U.S. history. The breach, which targeted the systems of Conduent Business Services LLC, exposed the sensitive personal data of approximately 4 million Texans—including the protected health information of Texas Medicaid recipients—between October 21, 2024, and January 13, 2025. The incident has raised urgent questions about the security of Americans’ most private information and the responsibilities of the companies entrusted to safeguard it.
According to KXXV, the breach was first discovered when an unauthorized third party managed to gain access to Conduent’s system. The scale of the compromise quickly became clear as investigators traced the exposure of not just names and addresses, but also deeply personal health records. For the millions affected, the news was both shocking and unsettling, with many left wondering how such a massive lapse could occur in an era of supposed digital vigilance.
Attorney General Paxton, known for his outspoken approach to consumer protection, wasted little time in responding. "The Conduent data breach was likely the largest breach in U.S. history," he stated, underscoring the gravity of the situation. He made it clear that his office would leave no stone unturned, adding, "If any insurance giant cut corners or has information that could help us prevent breaches like this in the future, I will work to uncover it."
Paxton’s investigation is targeting not just Conduent, but also Blue Cross Blue Shield of Texas (BCBSTX), one of the state’s largest health insurers and a major client affected by the breach. Civil Investigative Demands—legal tools akin to subpoenas—have already been issued to both companies, requiring them to produce a wide swath of documents and information related to the breach. The focus is twofold: first, to scrutinize BCBSTX’s compliance with state laws governing the protection of confidential information; and second, to probe Conduent’s internal security measures, communications, and adherence to Texas legal standards.
"Texans deserve to know that their private health information is being handled responsibly and in full compliance with the law," Paxton emphasized. "My office is committed to uncovering exactly what went wrong, taking action to protect Texas families, and ensuring there is justice for any negligence." The strong words reflect the mounting frustration among consumers who have grown weary of hearing about data breaches that compromise their most personal details.
But what exactly happened? While the investigation is still in its early stages, available information points to a sophisticated cyberattack. Conduent—a global business process services company—manages a range of administrative functions for clients, including health insurers like BCBSTX. When its system was infiltrated, the attackers reportedly accessed files containing protected health information, which under federal and state law must be guarded with the highest levels of security.
The breach’s impact is not limited to just numbers on a spreadsheet. For the 4 million Texans whose data was exposed, the consequences are real and potentially long-lasting. Health information is considered among the most sensitive categories of personal data, and its exposure can lead not only to identity theft but also to fraud, discrimination, and a profound loss of privacy. Texas Medicaid recipients, in particular, may face additional risks, as their records often include details about medical conditions, treatments, and even family histories.
According to reporting by KXXV and corroborated by Law360, Paxton’s investigation is set to examine whether Blue Cross Blue Shield of Texas and Conduent followed all required protocols before, during, and after the breach. This includes looking into how quickly the companies discovered the intrusion, how they communicated with affected individuals and regulators, and whether any lapses in compliance or oversight contributed to the scope of the incident.
Legal experts note that Civil Investigative Demands allow the attorney general’s office to gather evidence without filing a lawsuit—at least for now. If the investigation uncovers wrongdoing or negligence, the state could pursue civil penalties, demand corrective action, or even refer the matter for criminal prosecution should egregious violations come to light.
What makes this breach particularly alarming is its sheer scale. While data breaches have become distressingly common in recent years, few have reached the level of affecting 4 million individuals in a single state. The incident stands as a stark reminder of the vulnerabilities in the healthcare and insurance sectors, where vast troves of personal data are stored and transmitted daily. Cybercriminals, ever more sophisticated, are increasingly targeting these repositories, knowing that the information they contain is both valuable and, in some cases, poorly protected.
For Blue Cross Blue Shield of Texas, the state’s scrutiny is especially unwelcome. The company is now under pressure to demonstrate that it did everything possible to protect its members’ information and to comply with Texas law. The investigation will look closely at whether BCBSTX had robust data protection policies in place and whether it monitored its vendors—like Conduent—adequately. In the world of healthcare administration, it’s common for insurers to outsource tasks to third parties, but that doesn’t absolve them of responsibility under state and federal privacy laws.
Conduent, meanwhile, faces its own reckoning. As the company whose systems were breached, it must show that it maintained adequate cybersecurity defenses, responded appropriately to the attack, and notified all required parties in a timely manner. Any evidence of lax security practices or delayed action could result in significant legal and reputational consequences.
For many Texans, the breach has heightened skepticism about how large organizations manage their most sensitive data. Privacy advocates are calling for stronger oversight, tougher penalties for negligence, and new laws to keep pace with the evolving cyber threats. Some have pointed out that while companies often promise to prioritize data security, the steady drumbeat of breaches suggests that more needs to be done—both in terms of technology and accountability.
As the investigation unfolds, all eyes will be on the Texas Attorney General’s office. The outcome could set important precedents for how data breaches are handled, not just in Texas but nationwide. It may also influence how companies approach cybersecurity, vendor management, and transparency with the public.
For now, the millions affected by the breach can only wait—and hope that the state’s probe brings answers, accountability, and perhaps a measure of reassurance that their information will be better protected in the future.