A delayed disclosure of a business associate cyberattack has impacted nearly half a million BCBSMT members and triggered a state investigation.
Roughly 462,000 current and former members of Blue Cross Blue Shield of Montana (BCBSMT) were affected by a data breach involving Conduent Business Services, a New Jersey-based vendor providing BCBSMT with payment and back-office services. Conduent detected the security incident on January 13, 2025, following unauthorized access that began as early as October 21, 2024. The breach went undisclosed for several months, during which time sensitive member data was exfiltrated.
Conduent eventually disclosed the breach in April 2025 through a U.S. Securities and Exchange Commission filing. However, the specific impact on BCBSMT members was not made public until October 2025, when documents obtained by Montana’s State News Bureau confirmed the number of individuals affected and the nature of the compromised data.
The cyberattack, which caused operational disruption, appears to have involved ransomware, though this has not been formally confirmed. Conduent restored its systems within days but did not complete its full investigation until months later. In total, the breach is believed to have affected approximately 4.3 million individuals across multiple clients, although the full list of impacted entities remains unclear.
BCBSMT reported that it was informed of its involvement earlier in the year and began its own review of the affected data. That review concluded on September 23, 2025. The compromised data includes names, birth dates, Social Security numbers, medical codes, provider information, and claims data.
BCBSMT has not issued a detailed public statement but has notified the Montana State Auditor's Office. In turn, the Auditor has launched an investigation into whether BCBSMT violated state data breach notification laws. Montana law requires timely notification to individuals and the state Department of Justice, but no listing currently exists on the DOJ’s consumer protection portal. The Auditor has also requested BCBSMT’s privacy and security policies and may impose financial penalties if noncompliance is found.
The breach has not yet appeared on the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) breach portal, though updates to the site have been paused since September 24 due to a government shutdown.
According to Bank Info Security, Montana’s investigation into the Blue Cross Blue Shield of Montana breach highlights a broader accountability gap in vendor-related data incidents across the healthcare sector. Regulators say delayed reporting has become a recurring issue as covered entities depend on third-party vendors that control large volumes of protected health information. Conduent’s case shows how even brief disruptions can have lasting consequences; the company disclosed $25 million in response costs and continues to face regulatory scrutiny. Experts warn that state and federal authorities are tightening expectations for breach transparency, with one official noting that entities must report exposures “without reasonable delay” or risk significant penalties.
Under HIPAA, a business associate is a service provider that handles protected health information (PHI) on behalf of a healthcare organization, requiring it to comply with privacy and security requirements.
Delayed breach notification may violate state or federal laws, leading to investigations and possible penalties. Montana law mandates prompt disclosure to both individuals and the Department of Justice.
The OCR portal has not been updated since September 24, 2025, due to the U.S. government shutdown, which may explain the absence of this incident from the official breach list.
These services can include billing, document processing, claims management, and other administrative tasks that require access to PHI.