Blue Cross Blue Shield of Montana (BCBSMT) is being investigated for potential non-compliance with Montana’s breach notification rules after a data breach resulted in the compromise of sensitive personal data and protected health information (PHI) of approximately 462,000 individuals.
Breach Incident and Scope
Like many HIPAA-covered entities and government organizations, BCBSMT hired Conduent Business Services as provider of its back-office administrative services. On January 13, 2025, Conduent discovered unauthorized access to its system. According to the forensic investigation, a threat accessed its system between October 13, 2024 and January 13, 2025. Data compromised in the incident included names, addresses, birth dates, health plan and medical record identifiers, diagnosis and treatment codes, medical insurance provider details, claims data, and Social Security numbers. The Safepay ransomware group announced that it is behind this cyberattack.
Notification and Compliance Concerns
Conduent reported the attack in a U.S. Securities and Exchange Commission (SEC) filing on April 9, 2025. At that time, the extent of the data breach is still unknown since the investigation was in progress. Roughly one year after discovering the attack, the number of affected individuals is still unknown. Conduent notified the Oregon Attorney General that there were about 10.5 million affected individuals, while the Texas Attorney General received notifcation that there were 14.7 million affected Texas residents.
BCBSMT received notification from Conduent that it was affected by the January 2025 data breach. However, BCBSMT only sent personal notifications to affected individuals on October 2025. State regulators claimed that this 9-month delay in issuing notifications likely violated Montana’s breach notification law, which requires sending breach notifications without unreasonable delay.
During a public administrative hearing scheduled on January 22, 2026, the Montana Office of the Commissioner of Securities and Insurance (CSI) will examine the evidence and circumstances surrounding the incident along with BCBSMT’s response. The Hearing examiner will assess the hearing record and prepare a recommended action for the insurance commissioner. Regulators are looking at whether BCBSMT fulfilled its responsibilities to manage third-party vendors who handle sensitive health data on their behalf and if the delayed notifications violated legal requirements.
BCBSMT filed a temporary restraining order to stop the hearing. However, the Lewis and Clark County District Court rejected the request, permitting regulators to continue.