Data Breach Notification,
Data Security,
Healthcare
Regulators Investigate Potential Delay in Notification of Breach Affecting 462,000 Insurance Members
Montana state regulators are currently examining a substantial data breach that impacts 462,000 members of Blue Cross Blue Shield of Montana. The breach is believed to involve a third-party service provider, Conduent, with authorities raising concerns over why nearly 10 months elapsed without notification to affected parties.
See Also: New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.
Conduent reportedly took almost four months to inform federal regulators about the breach, which it detected in January 2025. The organization characterized the incident as affecting a “significant number” of individuals.
In a statement, Blue Cross Blue Shield of Montana indicated that while it was notified about compromised member data by Conduent, it did not specify when this notification occurred. The healthcare insurer emphasized that its internal systems were not breached but acknowledged that the incident impacted its members due to its affiliation with Conduent. The vendor is expected to send notification letters to those affected.
Conduent Inc., a publicly traded organization based in Florham Park, New Jersey, provides a range of back-office services to Blue Cross Blue Shield of Montana, including mailroom and payment processing.
The health insurer has not provided additional specifics when approached by Information Security Media Group for further details regarding the breach’s scope.
Investigation by State Authorities
A spokesperson from Montana’s state government reported that the state’s auditor’s office is investigating whether Blue Cross Blue Shield of Montana failed to report the breach and notify affected members in a timely manner. The insurer officially reported the breach to state authorities on October 8, 2025.
Montana’s laws stipulate that significant data breaches must be reported “without reasonable delay.” If the state’s insurance authority determines that Blue Cross Blue Shield of Montana breached these requirements, it may face fines up to $25,000 for each violation.
In its April filing to the U.S. Securities and Exchange Commission, Conduent disclosed experiencing an operational disruption on January 13, when it became evident that a “threat actor” had unauthorized access to part of its network. The company reported that measures were promptly undertaken to restore affected systems, which were fully operational within days.
The breach’s investigative results revealed that a subset of files containing personal information from several clients was exfiltrated. The complex nature of these files necessitated consulting cybersecurity data mining experts to assess the breach’s nature and scope.
While acknowledging the extensive impact of the breach, Conduent indicated that, to their knowledge, the exfiltrated data has not surfaced on dark web forums. The company has also notified various states, including California, as part of its disclosure obligations.
Conduent operates globally, delivering services across multiple sectors, including healthcare and government, and reported approximately $3.4 billion in revenue for the previous fiscal year, reflecting a 9.8% decline. Notably, direct costs associated with this incident reached around $25 million, underscoring the significance of robust data protection protocols in mitigating operational disruptions.
This incident raises critical questions on cybersecurity resilience for third-party vendor relationships. In terms of adversarial tactics, initial access may have been gained through a supply chain compromise, with persistence and exfiltration techniques likely employed to maintain unauthorized access and retrieve sensitive data. Organizations must remain vigilant, employing the principles of the MITRE ATT&CK framework to ensure a proactive approach to securing their digital ecosystems.
