Court Rules State Regulator’s Investigation of Blue Cross Blue Shield of Montana May Proceed
A district court judge in Montana has ruled that the State Auditor and Insurance Commissioner’s investigation of Blue Cross Blue Shield of Montana (BCBSMT) over a data breach affecting 462,000 individuals may proceed. The data breach involved BCBSMT’s third-party vendor Conduent Business Services. The Safepay ransomware group claimed responsibility for the attack and stole 8.5 TB of data. While the full scale of the data breach is still unclear, at least 25 million Americans were affected nationwide. BCBSMT reported the data breach separately as affecting 462,000 Montanans.
Commissioner Brown launched the investigation into BCBSMT and Conduent over the data breach to help educate the public about data breaches, improve the regulation of insurance companies to prevent further breaches, and determine if there have been any unlawful acts that warrant a financial penalty, namely, whether BCBSMT complied with state law requiring insurers to provide timely notice when a data breach occurred. The data breach was significant, as one-third of state residents had their data compromised, and it took nine months for the notice to be issued.
BCBSMT mounted a legal challenge, claiming the auditor’s office lacked the authority to conduct the investigation. BCBSMT argued that it was exempt from reporting the breach as it was covered by federal law, and that a breach notice was submitted as a courtesy. Last year, the state legislature passed a bill that was signed into law by the state governor, requiring companies with a federal exemption to follow state breach notification rules; however, the law did not take effect until October 1, 2025.
Hackers had access to Conduent’s systems between Oct. 2024 and Jan. 2025, and BCBSM learned from Conduent that it was one of the affected clients a few days after Conduent learned about the attack. BCBSMT learned about the extent of the data breach on July 1, 2025, then conducted its own investigation and notified the state in October 2025. BCBSMT said its analysis of the incident was completed on September 23, 2025, days before the new law took effect. BCBSMT argued that it was being unfairly targeted and that there was no provision in the bill to make the bill retroactive.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The commissioner’s office argued that the delay in issuing notifications was unreasonable from a consumer protection standpoint. The First Judicial District Court in Helena dismissed the BCBSMT lawsuit against the commissioner’s office; however, not due to the substance of the complaint. The judge ruled that the commissioner’s office must first be given the opportunity to investigate, review the evidence, and issue an administrative decision. BCBSMT will then have the opportunity to challenge any administrative decision.
“To permit a declaratory judgment action here would be to use the UDJA to afford [BCBSMT] an opportunity to ‘skip the administrative process’ and obtain an avenue to immediate judicial review of the Commissioner’s actions that Blue Cross does not otherwise possess,” ruled District Court Judge Chris Abbott. Judge Abbott also confirmed that once the administrative process has been completed, BCBSMT will have an opportunity to come back to court to challenge any determinations made by the commissioner’s office.
Commissioner James Brown welcomed the decision, which sends a strong message to regulated companies that they will be held responsible if they violate consumer protection laws. The investigation will now seek to determine if consumer protection laws have been violated. “Montana has very strong laws protecting the privacy of Montana citizens, and I take that obligation and responsibility to protect the rights and personal data of Montanans very responsibly,” said Brown. “I’m pleased that the district court in Helena is allowing us to move forward with our investigation.”
January 28, 2026: Blue Cross Blue Shield of Montana Faces Data Breach Probe
Health Care Service Corporation, doing business as Blue Cross Blue Shield of Montana (BCBSMT), is facing a probe into whether the company complied with Montana’s breach notification law following a significant data breach that impacted approximately 462,000 Montanans.
Like many health insurance providers, BCBSMT contracted with Conduent Business Services, a business associate that provides back-office administrative services to HIPAA-covered entities and government agencies. On January 13, 2025, Conduent identified unauthorized access to its network, and its forensic investigation confirmed that a threat actor had access to its network for three months between October 13, 2024, and January 13, 2025. Data compromised in the incident included names, addresses, dates of birth, Social Security numbers, health plan and medical record identifiers, diagnosis and treatment codes, provider details, and claims information. The Safepay ransomware group claimed responsibility for the attack.
Conduent disclosed the attack in a filing with the U.S. Securities and Exchange Commission (SEC) on April 9, 2025, although at the time the investigation was ongoing to determine the extent of the data breach. It has been more than a year since the attack was detected, and it is still unclear how many individuals have been affected. The Oregon Attorney General was notified that around 10.5 million individuals had been affected nationwide, and subsequently, the Texas Attorney General was informed that 14.7 million Texas residents had been affected.
In January 2025, BCBSMT was notified by Conduent that it was one of the affected clients; however, BCBSMT did not notify the affected individuals until October 2025 – a year after Conduent’s systems were first breached and 9 months after it first learned that it had been affected. State regulators launched a probe to determine if BCBSMT was compliant with state data breach notification law, which requires notifications to be issued without unreasonable delay. State regulators also seek to establish the circumstances surrounding the data breach.
The Montana Office of the Commissioner of Securities and Insurance (CSI) scheduled a public administrative hearing on January 22, 2026, to gather evidence about the breach, establish a timeline of events, and determine how BCBSMT responded to the incident. BCBSMT sought a temporary restraining order from the Lewis and Clark County District Court to prevent the hearing from taking place; however, the court denied the request.
“It is troubling that it appears [BCBS] attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts,” said Montana CSI communications director Tyler Newcombe. “Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. Our office will consider all the evidence and then issue a final order in due course.”
A Hearing Examiner will review the record from the hearing and will propose a decision for the Commissioner to consider. The Commissioner will publish further information about the timeline of events to ensure transparency over the lengthy delay in issuing breach notifications.
