WVNews reports that personal and protected health information of 462,000 Montanans was involved in a significant data breach experienced by Conduent Business Services from October 2024 to January 2025. The state’s Insurance and Securities Commission wants to know why Blue Cross Blue Shield of Montana (BCBSMT) didn’t notify the state sooner.
The breach came to light in a report submitted to the state auditor’s office.
Documents obtained by the Montana State News Bureau through a records request show that Social Security numbers, birth dates and medical service details – including treatment and diagnosis codes, provider names and claim amounts – for current and former customers of Blue Cross Blue Shield Montana, the state’s largest health insurer, may have been compromised in the leak.
The breach lasted from October 2024 to January 2025, according to a report submitted by a lawyer representing the insurance company, but was not reported to state regulators until earlier this month, nearly a year later.
Read more at WVNews.
Conduent’s breach, which began on October 21, 2024, and was discovered on January 13, 2025, was first disclosed in April 2025, after some state agencies in Oklahoma and Wisconsin reported outages. On April 9, Conduent notified the Securities and Exchange Commission:
Item 1.05. Material Cybersecurity Incidents
On January 13, 2025, Conduent Incorporated (the “Company”) experienced an operational disruption and learned that a ‘threat actor’ gained unauthorized access to a limited portion of the Company’s environment. Upon detection, the Company activated its cybersecurity response plan with the help of external cybersecurity experts to contain, assess, and remediate the incident. The Company restored the affected systems and returned to normal operations within days, and in some cases, hours. The disruption did not have a material impact to the Company’s operations.
As part of its ongoing investigation, the Company determined that the threat actor exfiltrated a set of files associated with a limited number of the Company’s clients. Due to the complexity of the files, the Company engaged cybersecurity data mining experts to evaluate the exfiltrated data and was recently informed of its nature, scope and validity, confirming that the data sets contained a significant number of individuals’ personal information associated with our clients’ end-users. The Company is continuing to further analyze and document the precise and detailed impact of the data exfiltrated, and clients are being informed as appropriate in order to determine next steps as required by federal and state law. To the Company’s knowledge, the exfiltrated data has not been released on the dark web or otherwise publicly.
While the Company did not experience material impacts to its operating environment or costs from the event itself, the Company has incurred and accrued material non-recurring expenses in the first quarter related to the event based on potential notification requirements. The Company maintains a cyber insurance policy and has also notified federal law enforcement authorities of the incident.
The Conduent breach reportedly affected 4.3 million people, but it’s unclear how many were notified individually before this month. There was no list of Conduent clients made public, and Blue Cross Blue Shield Montana may be just one of many Conduent clients whose protected health information of insured members or patients was exposed.
On October 8, 2025, Conduent submitted a template notification letter to the California Attorney General’s Office. It states, in part:
On behalf of our clients, Conduent Business Services, LLC (“Conduent”) provides third-party printing/mailroom services, document processing services, payment integrity services, and other back-office support services. We are writing to inform you about a recent incident experienced by Conduent that may have involved some of your personal information, which came into our possession due to the services that we provide to <Client Name>. While we are unaware of any attempted or actual misuse of any information involved in this incident, we are providing you with information about the incident and steps you can take to protect yourself, should you feel it necessary.
What Happened? On January 13, 2025, we discovered that we were the victim of a cyber incident that impacted a limited portion of our network. We immediately secured our networks and initiated an investigation with the assistance of third-party forensic experts. Our investigation determined that an unauthorized third party had access to our environment from October 21, 2024, to January 13, 2025, and obtained some files associated with <Client Name>. Given the nature and complexity of the data involved, Conduent has been working diligently with a dedicated review team, including internal and external experts, to conduct a detailed analysis of the affected filesto identify the personal information contained therein. We are providing you with this notice upon the recent conclusion of this time-intensive data analysis as your personal information was contained in the affected files.
What Information Was Involved. The affected files contained your name and the following: <>. Presently, we have no evidence or indication of actual or attempted misuse of your personal information.
As of publication today, there is no breach notification on BCBSMT’s website. Ironically, perhaps, the insurer has a section prominently displayed on its home page that claims it has cybersecurity experts protecting its members’ data from hacking threats.
At some point, Conduent published a substitute notice on its website, but it appears to have been removed and is not archived on archive.org.
As WVNews reports, Montana law requires companies to report data breaches that may have exposed the personal information of state residents to the Department of Justice “without unreasonable delay” consistent with the needs of law enforcement and “any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” There is no notice of this breach appearing on Montana’s public breach report site.
HIPAA requires entities to report breaches to HHS and to those affected no later than 60 calendar days from discovery of the breach. There is no entry from either Conduent or BCBSMT on HHS’s public breach tool.
HHS does not appear to have updated its tool since September 24, but it seems that BCBSMT (or Conduent, if contractually responsible) may have failed to comply with notification requirements by the state and federal government.
Note: In February 2025, Safepay claimed responsibility for the attack on Conduent. When DataBreaches searched their leak site today, they could not find any listing for Conduent. DataBreaches does not know why the listing was removed.
This post was edited post-publication to change the health insurer’s abbreviation to BCBSMT to be consistent with how the entity is generally abbreviated.