Jonathon Ambarian provides an update on a breach previously reported on DataBreaches.net:
In October, MTN reported on a major data breach involving customers with Blue Cross Blue Shield of Montana. Now, as a state investigation into the breach continues, the next steps could be playing out in court.
BCBSMT, the largest health insurance provider in Montana, said in October that up to 462,000 of its members’ data may have been exposed by a “cyber incident” affecting Conduent, a third-party vendor. The company reported the incident to Montana State Auditor James Brown’s office, which launched an investigation.
Now, BCBSMT is arguing the auditor’s actions have been unlawful. The company filed a lawsuit in state district court in Helena, claiming Brown’s office doesn’t have the authority to pursue an investigation.
Read more at KXLH
The legal issue seems fairly straightforward: Montana passed a law that went into effect on October 1, 2025 that would require entities to report breaches to the state auditor. Previously, entities like BCBS that are covered by HIPAA were exempt under state notification law if they complied with HIPAA’s breach notification rule and requirements.
The insurer learned about the breach on July 1, 2025 from Conduent, and concluded its own investigation into the incident on September 23. They notifed the state auditor after October 1, but claim they considered that a courtesy notification as the breach had occurred before October 1.
DataBreaches notes that when we first reported on this incident on October 22, 2025, we had found no entry on HHS’s public breach tool from BCBSMT or Conduent, although there was a much smaller report from Conduent Business Services on October 8, 2025. As of publication today, we still do not see any entry on HHS’s public breach tool from BCBSMT or Conduent. If BCBSMT wants to argue that they were still under the exemption for HIPAA-regulated entities that comply with the Breach Notification Rule, where is the evidence that they did comply by notifying HHS timely of the breach?
Was BCBSMT obligated under the new Montana law to report the incident to the state auditor if those affected had not been notified before October 1, 2025 (if they weren’t)? We will have to wait to learn what the court rules.