A data breach at Blue Cross Blue Shield of Montana (BCBSMT) was caused by a cyber incident at its third-party vendor, Conduent, which provides back-office services. The breach, detected in January 2025, involved unauthorized access by a threat actor who exfiltrated files containing personal information of 462,000 BCBSMT members. Conduent delayed notifying federal regulators for four months and BCBSMT members for nearly 10 months, raising concerns over compliance with Montana’s breach notification laws. The stolen data included sensitive member information, though Conduent claimed no evidence of it being leaked on the dark web. BCBSMT’s own systems were not directly compromised, but the vendor’s breach exposed member data due to their business relationship. Montana regulators are investigating potential reporting delays, with fines up to $25,000 per violation possible. Conduent incurred $25 million in direct response costs, including cybersecurity forensics and notifications, while maintaining that operations were restored quickly without material disruption.
Source: https://www.bankinfosecurity.com/montana-officials-looking-into-bcbs-breach-tied-to-vendor-a-29810
TPRM report: https://www.rankiteo.com/company/blue-cross-and-blue-shield-association
"id": "blu3202332102425",
"linkid": "blue-cross-and-blue-shield-association",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '462,000 members',
'industry': 'Healthcare',
'location': 'Montana, USA',
'name': 'Blue Cross Blue Shield of Montana (BCBSMT)',
'type': 'Health Insurer'},
{'industry': ['Business Process Services',
'Healthcare Support',
'Government Services'],
'location': 'Florham Park, New Jersey, USA',
'name': 'Conduent Inc.',
'size': '$3.4 billion revenue (2024)',
'type': 'Third-Party Vendor'}],
'customer_advisories': ['Conduent to mail notifications to 462,000 BCBSMT '
'members'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '462,000 (BCBSMT members)',
'personally_identifiable_information': True,
'sensitivity_of_data': ['High (personal information)'],
'type_of_data_compromised': ['Personal information']},
'date_detected': '2025-01-13',
'date_publicly_disclosed': '2025-10-08',
'description': 'Montana state authorities are investigating a data breach '
'affecting 462,000 Blue Cross Blue Shield of Montana (BCBSMT) '
'members, tied to a third-party vendor, Conduent. The breach '
'was detected in January 2025, but notifications to affected '
'members were delayed by nearly 10 months. Conduent, a '
'provider of back-office services, reported the incident to '
'the SEC in April 2025, confirming that a threat actor '
"exfiltrated files containing personal information of clients' "
'end users. The data has not been found on the dark web, but '
'the incident prompted regulatory scrutiny over potential '
'reporting delays and fines under Montana state law.',
'impact': {'brand_reputation_impact': ['Potential reputational damage to '
'BCBSMT and Conduent',
'Regulatory scrutiny for delayed '
'notifications'],
'data_compromised': True,
'downtime': ['Operational disruption on 2025-01-13',
'Restored within days/hours'],
'identity_theft_risk': ['Personal information of 462,000 BCBSMT '
'members exposed'],
'legal_liabilities': ['Potential fines up to $25,000 per violation '
'under Montana state law'],
'operational_impact': ['Disruption to back-office services',
"No material impact to Conduent's "
'operations'],
'systems_affected': ["Conduent's systems (limited portion)"]},
'initial_access_broker': {'data_sold_on_dark_web': ['No evidence of data '
'released on dark web (as '
'of reporting)']},
'investigation_status': 'Ongoing (Montana state investigation into potential '
'reporting delays)',
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'Information Security Media Group (ISMG)'},
{'date_accessed': 'April 2025',
'source': 'U.S. Securities and Exchange Commission (SEC) '
'Filing by Conduent'},
{'source': "Montana State Auditor's Office"}],
'regulatory_compliance': {'fines_imposed': ['Up to $25,000 per violation '
'(potential)'],
'regulations_violated': ['Montana state data breach '
'reporting requirements '
'(potential violation)'],
'regulatory_notifications': ['Reported to Montana '
"state auditor's "
'office (2025-10-08)',
'Reported to U.S. '
'Securities and '
'Exchange Commission '
'(April 2025)',
'Reported to '
'California Attorney '
"General's office "
'(2025-10-08)']},
'response': {'communication_strategy': ['Conduent to mail letters to impacted '
'BCBSMT members',
'BCBSMT issued public statement'],
'containment_measures': ['Restored affected systems within '
'days/hours'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['External cybersecurity experts',
'Cybersecurity data mining experts']},
'stakeholder_advisories': ['BCBSMT statement to members',
'Conduent letters to impacted members'],
'title': 'Blue Cross Blue Shield of Montana Data Breach via Third-Party '
'Vendor (Conduent)',
'type': ['Data Breach',
'Third-Party Vendor Compromise',
'Unauthorized Access']}