New Hearing Held on BCBSMT Cybersecurity Breach in Montana

Back in January of 2025, nearly 470,000 Montana's who were using Blue Cross Blue Shield of Montana were affected by a data breach on their accounts.

Unfortunately, nearly 470,000 Montana's weren't aware their personal information, such as sensitive consumer data and personally identifiable and protected health information, was compromised at that time.

via GIPHY

A new hearing was just held this week in regard to just that.  The Montana Office of the Commissioner of Securities and Insurance (CSI) want to know why they and those customers of BCBSMT weren't notified until October of 2025 about the breach.

Get our free mobile app

New Hearing Held on BCBSMT Cybersecurity Breach in Montana

The public administrative hearing, held January 22 in Helena, Montana, was to "receive evidence and determine whether BCBSMT complied with Montana law requiring the timely reporting of cybersecurity incidents, as well as to examine the facts and circumstances surrounding the breach".

READ MORE:  Montana FWP Looking for Information on Vandalism

In a statement released through the Montana CSI, Communications Director Tyler Newcombe said about the hearing:

Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. That is exactly what this hearing was designed to do. Our office will consider all the evidence and then issue a final order in due course.

BCBSMT Sought Restraining Order for the Hearing from Court

BCBSMT originally sought a restraining order through the Lewis and Clark County District Court to prevent the hearing from even happening.  However, the court denied the request, and the hearing was able to be held.

As part of the hearing of evidence and testimony, 3 important factors were addressed during it, including:

• timeline of events
• BCBSMT’s response to the breach
• The assertion that a third-party vendor, Conduent Business Services LLC, was responsible for the cybersecurity incident

READ MORE:  Unsolved in Montana - Mysterious Disappearance of Patricia Mehaan 37 Years Ago

Get our free mobile app

Montana Law Specifically Aims to Protect Citizens from Breaches

In the release, the department said "Montana law requires regulated entities to report cybersecurity breaches in a timely manner to protect consumers and ensure transparency. The hearing was conducted pursuant to that authority".

As for now, the Hearing Examiner will be reviewing the record and prepare a proposed decision for CSI Commissioner James Brown to consider.  CSI stated that additional information would be released as it becomes available.  The full public statement is by Director Newcombe is available here.