Montana regulators examine BCBS notification delay after data breach

State officials are reviewing whether Blue Cross Blue Shield of Montana met legal requirements after a third-party incident exposed sensitive data.

What happened

Health Care Service Corporation, operating as Blue Cross Blue Shield of Montana, is under investigation by the Montana Office of the Commissioner of Securities and Insurance over its handling of a large data breach linked to vendor Conduent Business Services. According to reporting by Daily Montanan, Conduent discovered unauthorized access to its network on January 13, 2025, following activity that stretched back to October 2024. BCBS of Montana was notified in January 2025 but did not begin notifying affected individuals until October 2025. Regulators say the delay may violate Montana law, which requires breach notifications to be issued without unreasonable delay.

Going deeper

The breach originated at Conduent, a business associate that provides administrative services to insurers and government agencies. Forensic findings showed that attackers accessed a wide range of data, including names, addresses, dates of birth, Social Security numbers, health plan identifiers, and claims information. The Safepay ransomware group claimed responsibility. While Conduent disclosed the incident publicly in April 2025 through a securities filing, the total number of affected individuals has varied by state. Montana officials estimate that more than four hundred sixty thousand residents were impacted. State investigators are now focused on the timeline between when BCBS of Montana learned of the exposure and when it notified regulators and consumers.

What was said

During the administrative hearing, officials from the Montana Office of the Commissioner of Securities and Insurance (CSI) explained why the investigation focused on Blue Cross Blue Shield of Montana rather than other entities tied to the Conduent breach. When counsel for the insurer asked why regulators were not pursuing the four other organizations affected by the same vendor incident, a CSI staff member responded, “Because it concerns about 200 people,” referring to the scale of the exposure linked to those entities.

James Snyder, a deputy commissioner at CSI, said regulators still lack details required under state law. Snyder told the hearing that the agency has not received a final breach report outlining how the intrusion occurred or the full scope of BCBS of Montana’s involvement. “It still has not been disclosed to this agency how it happened,” Snyder said, adding that officials have not been fully briefed despite the length of time since the incident was identified.

In the know

The scope of the Conduent breach has continued to expand as state-level filings come in. A 2025 disclosure to the Texas Attorney General shows that nearly 14.8 million Texas residents were affected by Conduent’s 2024 cyber incident, far exceeding earlier estimates of about 10.5 million people nationwide. BankInfoSecurity reported that the incident involved unauthorized access to Conduent systems supporting healthcare and government clients, exposing both personal and protected health information. The widening impact suggests why regulators are scrutinizing notification timelines tied to large vendors, where the full scale of exposure may not be clear for months after an intrusion is discovered.

The big picture

Third-party breaches are becoming harder for regulators to ignore, especially when delays leave consumers in the dark for months. Verizon’s 2025 Data Breach Investigations Report found that nearly one in three breaches involved a vendor or service provider, up from 15% the year before. The report cautioned that companies depend on outside partners who hold sensitive data and quietly expand the attack surface. “When you are working with a third party, you have to consider their security limitations as well as your own,” Verizon wrote.

Paperwork alone is not enough. Paubox’s November 2025 HIPAA compliance research warned, “Many organizations rely on signed Business Associate Agreements (BAAs) as a legal ‘checkbox’ while neglecting the actual technical safeguards required to ensure the vendor is securing data.” A signed agreement does not confirm that encryption is enforced, access is monitored, or systems are properly configured.

FAQs

Why is BCBS of Montana being investigated rather than the vendor alone?

State law places notification responsibility on the licensed insurer, even when a breach originates at a third-party service provider.

What does Montana law mean by notification without unreasonable delay?

The statute does not define a specific timeframe, but regulators assess reasonableness based on the facts, scope of exposure, and when the entity had sufficient information to notify.

What information was potentially exposed in this incident?

The compromised data may include names, addresses, dates of birth, Social Security numbers, medical identifiers, and insurance claims details.

Can insurers wait for vendors to finish investigations before notifying customers?

Regulators generally expect insurers to notify once they reasonably determine that their customers were affected, even if a vendor investigation is ongoing.

What happens after the administrative hearing?

A hearing examiner will propose findings, after which the insurance commissioner may issue penalties, corrective orders, or additional reporting requirements.