462,000 Blue Cross Blue Shield of Montana Clients Affected By Business Associate Data Breach

October 26, 2025HIPAA News0

Roughly 462,000 present and former customers of Blue Cross Blue Shield of Montana (BCBSMT) were affected by a cyberattack on Conduent Business Services, its New Jersey-based business associate. Conduent Business Services is a payment, document processing, and back office services provider. As such, BCBSMT gives Conduent Business Services access to its members’ protected health information (PHI). On January 13, 2025, the business associate discovered a security incident that resulted in operational disruption, a term usually used to mean a ransomware attack.

Conduent Business Services had restored access to the compromised systems and was back to normal business operations within several days. The investigation showed that unauthorized access to its IT system began on October 21, 2024, and lasted for about three months. During that period, the attacker exfiltrated files from its network. On April 9, 2025, Conduent Business Services disclosed the cyberattack in a U.S. Securities and Exchange Commission (SEC) filing. At that time, the exact number of impacted individuals was not clear.

On October 8, 2025, Conduent Business Services informed the California Attorney General regarding the data breach that affected around 4.3 million people. The number of the company’s clients impacted by the breach is not certain. It is also uncertain if the breach affected other HIPAA-covered entity customers. The breach is not yet posted on the HHS’ Office for Civil Rights portal.

BCBSMT informed the Montana State Auditor’s Office concerning the data breach in early October, nearly one year after its business associate first discovered the breach. BCBSMT claims that it received notification that it was impacted at the beginning of the year and has been doing its own investigation and going over the impacted data. The analysis was only finished on September 23, 2025. This data breach is not yet posted on the OCR breach portal, likely because OCR has not updated the breach website since September 24, 2025, due to the government shutdown. According to the Montana State News Bureau, it discovered the data breach after sending a records request. The acquired documents show that around 462,000 Montanans have been affected, and that the exposed information included names, Social Security numbers, birth dates, treatment and diagnosis codes, names of providers, and claims amounts.

The Montana Commissioner of Securities and Insurance started an investigation to find out if state data breach notification laws had been violated. Breached entities need to notify individuals regarding a data breach immediately. They must also alert the Department of Justice concerning a data breach without unreasonable delay. However, there is currently no record on the DOJ consumer protection portal regarding the data breach. The state auditor is finding answers to questions concerning the data breach and has requested a copy of its privacy and security policies. If BCBSMT is found to have failed to adhere to state regulations, financial penalties may be issued.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.