A third-party data breach involving **Conduent**, a business services provider for BCBSMT, exposed sensitive personal and medical data of up to **462,000 Montanans** between **November 8, 2024, and March 5, 2025**. Compromised information includes **names, addresses, birth dates, phone numbers, billing details, and medical records**. While BCBSMT’s internal systems remained unaffected, the breach was described as having **‘far-reaching and jaw-dropping consequences’** by Montana’s State Auditor, James Brown. The exposed data was exfiltrated by a **‘threat actor’** but, per Conduent, has not been publicly leaked or sold on the dark web. BCBSMT claimed to offer **credit monitoring** to affected customers, though regulators reported delays in notifications. The incident prompted a **full-scale state investigation**, new cybersecurity initiatives, and a public awareness campaign to mitigate identity theft risks. Authorities emphasized **accountability, transparency, and legal action** against responsible parties.
TPRM report: https://www.rankiteo.com/company/hcsc
"id": "hcs1192111102325",
"linkid": "hcsc",
"type": "Breach",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '462,000',
'industry': 'healthcare',
'location': 'Montana, USA',
'name': 'Blue Cross Blue Shield of Montana (BCBSMT)',
'type': 'health insurer'},
{'industry': 'business process outsourcing',
'name': 'Conduent',
'type': 'third-party business services provider'}],
'attack_vector': ['third-party vendor compromise',
'exfiltration of client files'],
'customer_advisories': ['credit monitoring offered (unconfirmed)',
'public awareness campaign on identity theft'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '462,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (includes medical and financial '
'data)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'protected health information '
'(PHI)',
'billing data']},
'date_detected': '2025-01-13',
'date_publicly_disclosed': '2025-10-23',
'description': 'Montana state officials launched an investigation into a '
'third-party data breach involving Conduent, a business '
'services provider for Blue Cross Blue Shield of Montana '
'(BCBSMT). The breach exposed sensitive personal and medical '
'data of up to 462,000 Montanans between November 8, 2024, and '
'March 5, 2025. The exposed data includes names, addresses, '
'birth dates, phone numbers, billing, and medical information. '
'BCBSMT systems were not directly impacted, but the incident '
'has prompted a full-scale regulatory investigation and new '
'cybersecurity initiatives by the Montana State Auditor’s '
'office.',
'impact': {'brand_reputation_impact': ['severe',
'eroded consumer trust',
'regulatory scrutiny'],
'data_compromised': ['names',
'addresses',
'birth dates',
'phone numbers',
'billing data',
'medical data',
'other sensitive information'],
'identity_theft_risk': ['high',
'statewide public awareness campaign '
'launched'],
'legal_liabilities': ['potential fines',
'regulatory actions',
'legal accountability demands'],
'operational_impact': ['operations disruption (Conduent)',
'regulatory investigation',
'public awareness campaign'],
'systems_affected': ['Conduent’s environment (limited portion)']},
'initial_access_broker': {'high_value_targets': ['client files containing '
'PII/PHI']},
'investigation_status': 'ongoing (full-scale investigation by Montana State '
'Auditor’s office)',
'post_incident_analysis': {'corrective_actions': ['New cybersecurity '
'initiatives by Montana '
'State Auditor’s office',
'Statewide public awareness '
'campaign on fraud '
'prevention']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Enhance third-party vendor cybersecurity oversight',
'Implement statewide public awareness campaigns for '
'identity theft prevention',
'Strengthen regulatory accountability for data breaches'],
'references': [{'date_accessed': '2025-10-23',
'source': 'Newsweek',
'url': 'https://www.newsweek.com'},
{'date_accessed': '2025-04',
'source': 'U.S. Securities and Exchange Commission (SEC) '
'Filing by Conduent'},
{'date_accessed': '2025-10-23',
'source': 'Montana State Auditor and Commissioner of '
'Securities and Insurance (James Brown) '
'Statements'}],
'regulatory_compliance': {'legal_actions': ['full-scale investigation by '
'Montana State Auditor’s office',
'potential enforcement actions'],
'regulatory_notifications': ['U.S. Securities and '
'Exchange Commission '
'(SEC) filing by '
'Conduent']},
'response': {'communication_strategy': ['public statements by Montana State '
'Auditor',
'social media updates (X)',
'planned customer notifications'],
'incident_response_plan_activated': True,
'remediation_measures': ['credit monitoring offered to affected '
'individuals (claimed but not '
'confirmed)'],
'third_party_assistance': ['cybersecurity data mining experts '
'(Conduent)']},
'stakeholder_advisories': ['Montana State Auditor’s office',
'BCBSMT (planned but not confirmed)'],
'title': 'Blue Cross Blue Shield of Montana (BCBSMT) Third-Party Data Breach '
'via Conduent',
'type': ['data breach', 'third-party breach', 'unauthorized access']}