What happened
A Montana state district judge has dismissed a lawsuit from Health Care Service Corporation, the parent company of Blue Cross Blue Shield of Montana, clearing the way for the Montana State Auditor’s Office to continue its investigation into a 2024 data breach that may have exposed the personal data of up to 462,000 BCBSMT members, roughly one-third of Montana’s population.
The breach stems from a cyber incident affecting Conduent, a third-party vendor used by BCBSMT. The company learned of the breach from Conduent on July 1, 2024, completed its own analysis on September 23, and reported it to the State Auditor’s office. The auditor’s investigation is focused on whether BCBSMT complied with Montana’s data breach notification requirements.
HCSC had argued in court that BCBSMT was exempt from state notification rules because it was covered under a federal law. Montana’s legislature passed House Bill 60, signed into law last year, to close that gap by requiring companies with federal exemptions to still follow state breach notification rules. BCBSMT countered that HB 60 didn’t take effect until October 1, 2024, after the company had already completed its breach analysis, and that no retroactive provision applied. Judge Chris Abbott ruled narrowly, finding that BCBSMT could not use the courts to skip the administrative process. His ruling did not address the substance of the company’s legal arguments. If the auditor’s findings go against BCBSMT, the company can challenge them in court at that time.
A hearing examiner who took testimony in January is expected to resume working on findings, including whether laws were violated and whether penalties are warranted.
Who is affected
Up to 462,000 BCBSMT members face potential exposure of personal data from the Conduent breach. The investigation’s outcome could also affect HCSC’s broader compliance obligations across other states where it operates, and may set a precedent for how Montana regulates data breach notification by federally exempted insurers.
Why CISOs should care
This case is a useful example of how third-party vendor breaches create multi-layered legal exposure that can outlast the incident itself by years. The breach happened in 2024. The legal fight over who had regulatory authority to investigate it was still being litigated in 2026. For security leaders in the insurance sector especially, the Montana case underscores that state-level breach notification laws are evolving and narrowing the exemptions that organizations have historically relied on. What was a compliant response under one legal framework may not survive scrutiny under a newly amended one.
3 practical actions
- Audit breach notification obligations across every state where you operate: State breach notification laws are not uniform and are actively changing. Montana’s HB 60 is one example of a state closing federal exemptions, and other states are doing the same.
- Review vendor breach notification timelines in your third-party contracts: The Conduent-BCBSMT timeline shows a gap of nearly three months between when the vendor reported the breach and when the insurer completed its own impact analysis. Your contracts should specify maximum notification windows and your response procedures should close that gap significantly.
- Treat regulatory investigation risk as part of your breach response planning: A breach can trigger not just notification obligations but sustained regulatory scrutiny and legal challenges that require dedicated resources well beyond the initial incident response window.
For more news about incidents involving exposure of personal and sensitive records, click Data Breach to read more.