Blue Cross Blue Shield of Montana (BCBSMT) suffered a large-scale data breach via a third-party vendor, **Conduent**, between late 2024 and early 2025. The incident compromised the **personal and medical information** of **462,000 Montanans**—nearly **one-third of the state’s population**. Exposed data included **names, addresses, birth dates, billing and medical records, phone numbers, and other sensitive details**. The breach triggered an investigation by Montana’s **State Auditor and Insurance Commissioner**, James Brown, who criticized BCBSMT for delays in notification and transparency. The fallout led to regulatory scrutiny, potential enforcement actions, and a public awareness campaign urging affected residents to monitor financial and insurance statements for fraud. BCBSMT’s response remains under legal constraint, with the company declining to comment on pending litigation. The breach’s scale and sensitivity of leaked data—spanning **health and financial records**—pose severe risks of **identity theft, medical fraud, and long-term reputational damage** to both BCBSMT and the impacted individuals. Montana’s government deployed an **AI assistant** to manage the surge in consumer inquiries, highlighting the breach’s systemic impact on state-level cybersecurity and regulatory frameworks.
Health Care Service Corporation cybersecurity rating report: https://www.rankiteo.com/company/hcsc
"id": "HCS1002310112225",
"linkid": "hcsc",
"type": "Breach",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': "462,000 (~1/3 of Montana's "
'population)',
'industry': 'healthcare/insurance',
'location': 'Montana, USA',
'name': 'Blue Cross Blue Shield of Montana (BCBSMT)',
'type': 'health insurance provider'},
{'industry': 'business process services',
'name': 'Conduent (third-party vendor)',
'type': 'vendor/service provider'}],
'attack_vector': 'third-party vendor (Conduent) security breach',
'customer_advisories': ['Monitor Explanation of Benefits',
'Report suspicious activity immediately',
'Visit csimt.gov for AI-assisted support'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '462,000',
'personally_identifiable_information': ['names',
'addresses',
'birth dates',
'phone numbers'],
'sensitivity_of_data': 'high (includes medical and billing '
'data)',
'type_of_data_compromised': ['PII (Personally Identifiable '
'Information)',
'PHI (Protected Health '
'Information)',
'billing data']},
'description': 'A large-scale data breach at Blue Cross Blue Shield of '
'Montana (BCBSMT) compromised the personal and medical '
"information of nearly one-third of Montana's population "
'(~462,000 individuals). The breach occurred via a third-party '
'vendor, Conduent, between late 2024 and early 2025. '
'Compromised data includes names, addresses, birth dates, '
'billing/medical data, phone numbers, and other sensitive '
'information. Montana State Auditor James Brown launched an '
'investigation, criticizing the notification timeline and '
'deploying an AI-powered assistant to assist affected '
'residents.',
'impact': {'brand_reputation_impact': "significant (described as 'deeply "
"disturbing' with 'far-reaching "
"consequences')",
'customer_complaints': 'surge in consumer questions (handled via '
'AI assistant)',
'data_compromised': ['names',
'addresses',
'birth dates',
'billing data',
'medical data',
'phone numbers',
'other sensitive information'],
'identity_theft_risk': 'high (residents urged to monitor '
'Explanation of Benefits)',
'legal_liabilities': 'potential enforcement actions for untimely '
'notification (investigation ongoing)'},
'initial_access_broker': {'entry_point': 'third-party vendor (Conduent)',
'high_value_targets': ['PII',
'PHI',
'billing data']},
'investigation_status': 'ongoing (responses from BCBSMT/Conduent under '
'analysis; potential public hearing)',
'post_incident_analysis': {'corrective_actions': ['AI tool deployment for '
'consumer support',
'Potential legislative '
'updates for '
'AI/cybersecurity '
'oversight']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Monitor Explanation of Benefits for suspicious activity',
'Update Montana laws to address AI and cybersecurity gaps '
'(potential 2027 legislative action)',
'Explore AI for regulatory efficiency (e.g., insurance '
'product reviews)'],
'references': [{'source': 'NBC Montana'},
{'source': 'Montana Commissioner of Securities and Insurance '
'(csimt.gov)',
'url': 'https://csimt.gov'}],
'regulatory_compliance': {'legal_actions': 'investigation ongoing; potential '
'enforcement authority',
'regulations_violated': ['potential untimely '
'notification to regulator',
'potential untimely '
'notification to affected '
'individuals'],
'regulatory_notifications': ['Montana State '
"Auditor's office "
'notified',
'affected individuals '
'notified (timeliness '
'under scrutiny)']},
'response': {'communication_strategy': ['urgent questions to BCBSMT/Conduent',
'public statements',
'AI assistant (csimt.gov)',
'advisories to monitor Explanation of '
'Benefits'],
'incident_response_plan_activated': True,
'recovery_measures': ['AI-powered assistant for consumer '
'inquiries',
'public awareness campaign']},
'stakeholder_advisories': ['Urgent questions sent to BCBSMT/Conduent',
'Public awareness campaign for affected residents',
'AI assistant deployed for consumer inquiries'],
'title': 'Blue Cross Blue Shield of Montana (BCBSMT) Data Breach via '
'Third-Party Vendor Conduent',
'type': ['data breach', 'third-party vendor compromise']}