Update for Anthem-enrolled employees: Data breach of Anthem partner company
From: Human Resources
On Dec. 2, 2025, Virginia’s Department of Human Resource Management (DHRM) Office of Health Benefits was notified by Elevance Health, the parent company for Anthem and the provider of Virginia’s COVA Care and COVA High Deductible health plans, of a cyber security incident discovered by partner company, Conduent, Inc., that involved data acquisition by an unknown threat actor.
Conduent, Inc. provides Elevance printing and mailing services, front-end digitization services, and payment integrity audits. Conduent discovered that the breach was traced to compromised VPN credentials, resulting in the encryption of their internal systems.
What happened? On Jan. 13, 2025, Conduent discovered it was a victim of a cyber incident that impacted a limited portion of its network. Conduent immediately secured its networks and initiated an investigation with the assistance of a third-party forensic expert. The investigation determined that an unauthorized third party had access to their environment from Oct. 21, 2024 – Jan. 13, 2025, and obtained files associated with employees' current or former health plan. Given the nature and complexity of the data involved, Conduent has been working diligently with a dedicated review team, including internal and external experts, to conduct a detailed analysis of the affected files to identify the personal information contained therein.
What information was involved? The affected files contained the employee’s name and the following: address and Social Security number. Conduent has no evidence or indication of actual or attempted misuse of personal information.
Were Elevance or Anthem’s systems impacted? No. The incident was limited to Conduent’s third-party environment and did not impact Elevance Health’s or Anthem’s network or systems.
What action has Conduent taken? Conduent promptly initiated an investigation in collaboration with the FBI and third-party analysts to determine the nature and scope of the incident. The incident has also been reported to law enforcement and the appropriate regulatory authorities.
Where can I learn more? Conduent mailed notification letters to affected members; letters were sent from late December - January 2026. In some cases, individuals may receive more than one notice if they were impacted under multiple business functions within Elevance.
Employees are strongly encouraged to review the letter they receive from Conduent. Also, Conduent is providing employees with access to up to 12 months of credit monitoring and identity restoration services through Epiq, at no cost. The deadline to enroll for the credit monitoring is April 30, 2026.
Who do I contact with questions? Please contact Conduent with all questions regarding this incident at 877-332-1658, Monday – Friday, 9 a.m. – 9 p.m. EST.
If employees are enrolled in the Aetna, Sentara, or Kaiser Permanente health plans through the Commonwealth of Virginia, you may disregard this message.