Data breach puts medical info of 462,000 Blue Cross Blue Shield Montana customers at risk

Carly Graf | Helena Independent Record

October 22, 2025

The private medical information of more than 462,000 Montanans may have been exposed in a data breach involving a third-party vendor used by Blue Cross Blue Shield of Montana, according to a report submitted to the state auditor’s office.

Documents obtained by the Montana State News Bureau through a records request show that Social Security numbers, birth dates and medical service details – including treatment and diagnosis codes, provider names and claim amounts – for current and former customers of Blue Cross Blue Shield Montana, the state’s largest health insurer, may have been compromised in the leak.

The breach lasted from October 2024 to January 2025, according to a report submitted by a lawyer representing the insurance company, but was not reported to state regulators until earlier this month, nearly a year later.

The Montana Commissioner of Securities and Insurance has opened an investigation into whether Blue Cross Blue Shield failed to report the breach in a timely manner and failed to notify potentially affected policyholders.

“While we acknowledge that investigation of security incidents can take time, the [office] is troubled by the length of time that has expired between awareness of the data breach, notification to our agency, and member notification, the provision for credit monitoring and identity protection services,” Deputy Commissioner of Insurance Erin Snyder wrote in an Oct. 16 letter to Blue Cross Blue Shield.

If the insurance commissioner’s office determines that the company has violated regulatory standards, it has the authority to impose up to $25,000 in fines per violation.

“These kinds of enforcement tools exist to ensure that companies take their obligations seriously and operate responsibly,” Commissioner James Brown said in a statement on Tuesday. “My job is to make sure every insurer doing business in Montana understands that compliance is non-negotiable. We’re here to protect consumers and maintain trust in the marketplace.”

Chicago-based Health Care Service Corp. purchased Blue Cross Blue Shield of Montana in 2013. In addition to operating Montana’s largest health insurance carrier, the organization runs health care plans across the country in states such as Texas and Illinois.

Blue Cross Blue Shield contracts with Conduent Business Services, LLC out of New Jersey for payment, document processing and other back-office services. Conduent is the company whose systems were compromised, putting the information of Montana Blue Cross customers at risk.

Conduent did not respond to request for comment before publication. 

An attorney representing Blue Cross Blue Shield sent notice of the breach to the Montana State Auditor’s Office earlier this month. According to the notice submitted by the Houston-based lawyer, Conduent discovered the cyber incident on Jan. 13 and took steps to notify federal law enforcement.

The insurance company said it was informed “earlier this year” that there had been a breach and launched its own analysis to determine which customers might have been impacted, which took until Sept. 23, according to the notice submitted by the lawyer.

However, Conduent reported to federal authorities as early as April that it was “experiencing disruption as a result of unauthorized access to its network.”

Montana law requires companies report data breaches that may have exposed the personal information of state residents. The law mandates disclosure to the Department of Justice “without unreasonable delay” consistent with the needs of law enforcement and “any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”

As of press time on Tuesday, such a report had not appeared on the Montana Department of Justice Office of Consumer Protection website. The only published report from Blue Cross Blue Shield this year was an incident reported in April that affected 163 people. 

In an emailed statement, a Blue Cross Blue Shield spokesperson confirmed the insurer was aware of the cyber incident and had conducted its own data evaluation that showed Montana customers had been impacted. The spokesperson also said that Blue Cross Blue Shield’s systems were not impacted, but did not provide more detail.

“[Blue Cross Blue Shield of Montana] is committed to supporting our members and helping them navigate through this incident,” Amanda Douglas said.

Conduent and Blue Cross Blue Shield have said they’ll offer 12-months of complimentary credit monitoring services to individuals whose social security numbers were hacked.

The auditor’s office sent a list of 11 questions on Oct. 16 to Lisa Kelley, president of Blue Cross Blue Shield of Montana, seeking details to assist in its investigation. The letter requests copies of internal privacy and security policies, a timeline of the breach and information on steps to prevent future incidents.

It asked for the insurance company to submit responses by Friday.

“The scale of this data breach is jaw-dropping and deeply troubling to me because of its far-reaching implications for Montana consumers,” Brown said. “I take the protection of Montanans’ personal information with the utmost seriousness…It’s the foundational duty of every company to safeguard consumer data, and my team will work hand-in-hand with Montana businesses to make sure they’re doing exactly that.”

Click HERE to read the full article