Montana Launches Probe Into BCBSMT Data Breach Affecting 462,000 Members

The Montana Commissioner of Securities and Insurance is investigating whether Blue Cross Blue Shield of Montana complied with state breach notification requirements following a data breach that affected 462,000 members.

 

In January 2025, Conduent experienced a cyber security incident that led to an operational outage and unauthorised access to its systems. This breach exposed sensitive personal information of approximately 462,000 BCBSMT members. The compromised data stemmed from Conduent’s handling of mailroom operations, payment processing, and other back-office functions for BCBSMT, not from BCBSMT’s own systems.

 

Montana Commissioner of Securities and Insurance (CSI), James Brown, described the breach as a “major” and “deeply disturbing” incident with serious consequences for affected individuals. He emphasised the urgent need for stronger consumer data protection and oversight.

 

BCBSMT confirmed that its own systems were not impacted but acknowledged that members were affected due to its relationship with Conduent. 

 

Recently, HIPAA Journal reported that CSI held a public administrative hearing on January 22 to collect evidence related to the breach, establish a timeline of events, and assess BCBSMT’s response. However, BCBSMT requested a temporary restraining order from the Lewis and Clark County District Court to prevent the hearing from proceeding; the court ultimately denied the request.

 

“It is troubling that it appears [BCBS] attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts.

 

“Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. Our office will consider all the evidence and then issue a final order in due course,” said Montana CSI communications director Tyler Newcombe.

 

A hearing examiner will review the hearing record and submit a proposed decision, while the Commissioner plans to publish further information on the timeline to address the extended delay in breach notifications.