Montana Blue Cross-Blue Shield (BCBSMT) suffered a major data breach via a third-party vendor, Conduent, which exposed the private data of 462,000 customers nearly one-third of Montana’s population. The breach, occurring between November 8, 2024, and March 5, 2025, involved the exfiltration of highly sensitive information, including names, addresses, birth dates, billing and medical data, phone numbers, and other confidential details. While BCBSMT’s own systems remained unaffected, the incident stemmed from Conduent’s cybersecurity lapse, which processed mailroom, payment, and back-office services for the insurer. The breach triggered a state-level investigation by Montana’s Commissioner of Securities and Insurance, citing ‘far-reaching and jaw-dropping consequences’ for residents. Authorities emphasized the violation of trust in safeguarding health and financial data, with potential legal repercussions, including fines up to $25,000 per violation if negligence is proven. As of the report, no customer notifications had been issued by Conduent, heightening concerns over delayed response and exposure risks. The incident underscores critical vulnerabilities in third-party vendor security and the large-scale impact on personal and financial privacy.
TPRM report: https://www.rankiteo.com/company/blue-cross-and-blue-shield-association
"id": "blu1802218102325",
"linkid": "blue-cross-and-blue-shield-association",
"type": "Breach",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '462,000',
'industry': 'healthcare',
'location': 'Montana, USA',
'name': 'Montana Blue Cross-Blue Shield (BCBSMT)',
'type': 'health insurance provider'},
{'industry': 'business process services',
'name': 'Conduent',
'type': 'third-party vendor'}],
'customer_advisories': ['Review explanation-of-benefits; monitor financial '
'activity; report suspicious activity to BCBSMT or '
'Commissioner’s office'],
'data_breach': {'data_exfiltration': 'yes (confirmed by Conduent in January '
'2025)',
'number_of_records_exposed': '462,000',
'personally_identifiable_information': ['names',
'addresses',
'birth dates',
'phone numbers'],
'sensitivity_of_data': 'high (includes health and financial '
'information)',
'type_of_data_compromised': ['personal data',
'financial data',
'health data']},
'date_detected': '2025-01',
'date_publicly_disclosed': '2025-10-08',
'description': 'The Montana Commissioner of Securities and Insurance warned '
'nearly 462,000 Montana Blue Cross-Blue Shield (BCBSMT) '
'customers that their private data including financial, '
'health, and personal information may be at risk due to a data '
'breach originating from a third-party vendor, Conduent. The '
'breach occurred between November 8, 2024, and March 5, 2025, '
'with hackers exfiltrating personal data in January 2025. '
'Conduent provides mailroom, payment, and back-office support '
'services to BCBSMT. The incident did not directly impact '
'BCBSMT systems but affected members due to their relationship '
'with Conduent. Montana state law requires regulated companies '
"to report breaches involving personal information 'without "
"unreasonable delay.' The Commissioner’s office launched an "
'investigation, which could result in fines up to $25,000 per '
'violation if misconduct or non-compliance is found. Customers '
'are advised to monitor financial activity and review '
'explanation-of-benefits information for suspicious activity.',
'impact': {'brand_reputation_impact': ["Severe; described as 'deeply "
"disturbing' with 'far-reaching and "
"jaw-dropping consequences' by Montana "
'Auditor James Brown'],
'data_compromised': ['names',
'addresses',
'birth dates',
'billing data',
'medical data',
'phone numbers',
'other sensitive information'],
'identity_theft_risk': ['High; customers urged to monitor '
'financial activity'],
'legal_liabilities': ['Potential fines up to $25,000 per violation '
'if misconduct or non-compliance is found'],
'payment_information_risk': ['Compromised (billing data exposed)'],
'revenue_loss': ['Conduent reported bottom-line impact due to '
'notification and potential costs (per SEC '
'filings)'],
'systems_affected': ['Conduent systems (third-party vendor)']},
'investigation_status': 'ongoing (launched by Montana Commissioner of '
'Securities and Insurance; includes document reviews '
'and audits)',
'ransomware': {'data_exfiltration': 'yes'},
'recommendations': ['Customers urged to monitor financial activity and review '
'explanation-of-benefits for suspicious activity',
"Commissioner’s office emphasizes need for 'robust "
"oversight' and swift action to protect consumers"],
'references': [{'source': 'Montana Commissioner of Securities and Insurance'},
{'source': 'Conduent SEC filings'}],
'regulatory_compliance': {'fines_imposed': ['Potential fines up to $25,000 '
'per violation if non-compliance '
'is found'],
'legal_actions': ['Investigation launched by '
'Montana Commissioner of '
'Securities and Insurance'],
'regulatory_notifications': ['Montana law requires '
'breach notification '
"'without unreasonable "
"delay'; "
'Commissioner’s office '
'notified on '
'2025-10-08']},
'response': {'communication_strategy': ['Montana Commissioner’s office urged '
'customers to review '
'explanation-of-benefits and report '
'suspicious activity; BCBSMT set up a '
'dedicated member support line'],
'incident_response_plan_activated': ['Conduent notified BCBSMT; '
'Conduent to mail letters '
'to impacted members']},
'stakeholder_advisories': ['Commissioner’s office urging customers to report '
'suspicious activity; BCBSMT dedicated support '
'line established'],
'title': 'Montana Blue Cross-Blue Shield Data Breach via Third-Party Vendor '
'Conduent',
'type': ['data breach', 'third-party breach', 'data exfiltration']}