A Montana court has cleared the way for regulators to move ahead with a high-profile cybersecurity enforcement action against Blue Cross Blue Shield of Montana (BCBS), denying the insurer's bid to halt a public hearing into a data breach that may have affected hundreds of thousands of residents.
According to a report from BestWire, the Lewis and Clark County District Court rejected Health Care Service Corp's (HCSC) request for a temporary restraining order to block an administrative hearing convened by the Montana Office of the Commissioner of Securities and Insurance (CSI). HCSC, a mutual legal reserve company, operates in the state as Blue Cross Blue Shield of Montana.
The case centers on a cybersecurity incident tied to Conduent Business Services LLC, a third-party vendor that provides payment and document-processing services. Conduent discovered unauthorized access to its systems between Oct. 21, 2024, and Jan. 13, 2025.
Regulators said BCBS was informed, in January 2025, that Montana member data may have been impacted, yet the insurer did not file its formal breach report with CSI until October of that year, when it disclosed that up to 462,000 consumers could be affected.
The regulator is examining whether that delay violated Montana’s requirement that entities report cybersecurity incidents without unreasonable delay, and whether BCBS met its obligations to oversee third‑party vendors that handle sensitive health and personal information.
The hearing is also focused on the timeline of events, how the company responded and its contention that a third‑party vendor was responsible for the incident, according to the report.
The breach is believed to have exposed highly sensitive data, including names, addresses, dates of birth, Social Security numbers, health plan and medical record identifiers, diagnosis and treatment codes, provider details and claims information. Regulators have warned that the nature of the compromised information creates an elevated risk of identity theft and healthcare fraud for affected individuals.
CSI communications director Tyler Newcombe criticized the carrier’s effort to stop the proceeding. In an earlier release, Newcombe said: "It is troubling that it appears [BCBS] attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts."
"Our office is committed to protecting Montanans and ensuring a fair, transparent and very serious process when sensitive personal and health data may have been placed at risk," Newcombe added. "Our office will consider all the evidence and then issue a final order in due course."
The hearing examiner is reviewing the record and will prepare a recommended decision for the insurance commissioner. CSI has said a more detailed accounting of the incident will be released as it becomes available, the report said.
BCBS declined to comment, according to BestWire, citing the ongoing litigation.
