Blue Cross Blue Shield Montana faces federal probe

Blue Cross Blue Shield of Montana (BCBSMT), operated by Health Care Service Corporation, is facing a major regulatory probe following a massive third-party data breach tied to its vendor, Conduent Business Services.

What happened

Conduent discovered unauthorized access to its network on January 13, 2025, after attackers accessed systems for several months between October 2024 and January 2025. The breach exposed highly sensitive information. Conduent disclosed the incident in an SEC Form 8-K on April 9, 2025, and notified affected clients, including BCBSMT, in January 2025.

Despite being informed that Montana member data may have been impacted, BCBSMT did not notify Montana regulators until October 8, 2025, and did not begin notifying affected members until later that month, approximately nine months after learning of potential exposure. Regulators estimate that up to 462,000 Montanans, nearly one-third of the state’s population, were affected, making it the largest data breach in Montana’s history.

The Montana Office of the Commissioner of Securities and Insurance (CSI) launched an investigation to determine whether BCBSMT violated state law requiring breach notifications to be made without unreasonable delay. BCBSMT sought a temporary restraining order in Lewis and Clark County District Court to block a public administrative hearing, arguing procedural unfairness and disputing the regulator’s process, but the court denied the request.

What was said

According to an article on the matter by Beckers Payer Issues, “It is troubling that it appears BCBSMT attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts,” a BCBS Montana spokesperson said in the release. “Our office is committed to protecting Montanans and ensuring a fair, transparent and very serious process when sensitive personal and health data may have been placed at risk. That is exactly what this hearing was designed to do. Our office will consider all the evidence and then issue a final order in due course.”

Why it matters

Large healthcare cases in 2025, including the Change Healthcare breach affecting nearly 190 million people and the Episource ransomware attack impacting more than 5.4 million records, triggered intense scrutiny over notification delays, vendor oversight, and the timing of public disclosures.

Those cases reinforced that healthcare entities remain accountable even when third-party vendors are responsible, and that long gaps between discovery and notification can become the central compliance issue. At the same time, the SEC has stepped up enforcement against companies that downplayed or delayed disclosure of material cyber incidents, signaling that breach response timelines now carry legal and financial risk beyond HIPAA penalties.

Healthcare regulators and state insurance commissioners are following that trend by treating delayed notifications as potential violations in their own right, not mere procedural errors. In that context, the Montana case becomes a test of how aggressively states will enforce ‘without unreasonable delay’ standards when a breach originates at a vendor but affects hundreds of thousands of patients.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

When does the SEC require a cyber incident to be disclosed?

The SEC requires disclosure within four business days after a company determines a cyber incident is material to investors.

Does HIPAA require public disclosure of all healthcare breaches?

HIPAA requires notification to affected individuals, HHS, and sometimes the media, but not all incidents trigger public announcements.

How do vendor breaches affect healthcare organizations’ federal disclosure duties?

Healthcare entities remain responsible for breach notifications even when a business associate or vendor caused the incident.