A massive data breach at **Blue Cross-Blue Shield of Montana**, the state’s largest health insurer, exposed the sensitive personal and healthcare data of **462,000 customers**—nearly one-third of Montana’s population. The breach, caused by a **third-party vendor (Conduent)**, lasted from **October 2024 to January 2025** but was only disclosed in **October 2025**, nearly a year after discovery. Compromised data included **birth dates, Social Security numbers, and health condition records**, highly targeted by cybercriminals for identity theft, fraud, and dark web sales. Victims face risks of **medical identity theft (average cost: $20,000 per incident)**, lost healthcare coverage, increased premiums, and long-term financial harm. The company failed to encrypt data, delete obsolete records, or notify affected individuals promptly, violating Montana’s breach disclosure laws. A **class-action lawsuit** alleges negligence, breach of contract, and violations of consumer protection laws, seeking damages, security reforms, and a decade of third-party monitoring. The breach has already led to **spam, fraud calls, and identity theft cases**, with victims unable to mitigate risks due to delayed alerts.
TPRM report: https://www.rankiteo.com/company/hcsc
"id": "hcs3702237102525",
"linkid": "hcsc",
"type": "Breach",
"date": "10/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '462,000',
'industry': 'healthcare/insurance',
'location': 'Montana, USA',
'name': 'Blue Cross-Blue Shield of Montana',
'size': "462,000 customers (~1/3 of Montana's "
'population)',
'type': 'health insurance company'},
{'industry': 'business process services',
'name': 'Conduent (third-party vendor)',
'type': 'vendor/service provider'}],
'attack_vector': ['third-party vendor (Conduent)',
'unsecured data storage',
'lack of encryption'],
'customer_advisories': ['Breach notice posted on company website (2025-10)',
'Customer notification letters sent starting '
'2025-10-24'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '462,000',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (medical + financial identity '
'theft risk)',
'type_of_data_compromised': ['PII (birth dates, SSNs)',
'health records',
'private healthcare '
'information']},
'date_detected': '2025-01',
'date_publicly_disclosed': '2025-10-24',
'description': 'A massive data breach at Blue Cross-Blue Shield of Montana, '
'affecting up to 462,000 customers (approximately one-third of '
"Montana's residents), exposed sensitive personal and "
'healthcare information, including birth dates, Social '
'Security numbers, and health condition data. The breach was '
'allegedly caused by a third-party vendor, Conduent, and '
'lasted from October 2024 to January 2025. The company was '
'accused of failing to notify customers promptly (discovered '
'in January 2025 but disclosed in October 2025) and not '
'implementing standard data protection measures like '
'encryption. A class-action lawsuit was filed, alleging '
'negligence, breach of contract, and violations of Montana’s '
'Consumer Protection Act. The breach led to identity theft '
'risks, financial losses, and operational disruptions, with '
'potential costs of $20,000 per victim for medical identity '
'theft resolution.',
'impact': {'brand_reputation_impact': ['loss of trust',
'negative media coverage',
'legal scrutiny'],
'customer_complaints': ['spam calls',
'fraud attempts',
'identity theft reports'],
'data_compromised': ['birth dates',
'Social Security numbers',
'health condition data',
'personally identifiable information (PII)'],
'financial_loss': {'credit_monitoring_cost': '$200/year per class '
'member (minimum 5 '
'years)',
'estimated_cost_per_victim': '$20,000 (medical '
'identity theft)',
'out_of_pocket_costs': 'common for victims',
'total_potential_cost': None},
'identity_theft_risk': ['high (data sold on dark web for $40–$200 '
'per record)',
'complete dossiers assembled by '
'cybercriminals'],
'legal_liabilities': ['class-action lawsuit (7 counts: negligence, '
'breach of contract, Montana Consumer '
'Protection Act violations, etc.)',
'potential regulatory fines'],
'operational_impact': ['investigation by Montana Commissioner of '
'Securities and Insurance',
'class-action lawsuit',
'customer notifications delayed'],
'systems_affected': ['third-party vendor systems (Conduent)',
'customer databases']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': 'third-party vendor (Conduent)',
'high_value_targets': ['PII', 'health records']},
'investigation_status': 'ongoing (regulatory investigation + class-action '
'lawsuit)',
'lessons_learned': ['Timely breach notification is critical to mitigate harm.',
'Third-party vendor risks must be proactively managed.',
'Encryption and data retention policies are essential for '
'protecting sensitive data.',
'Delayed responses exacerbate financial and reputational '
'damage.'],
'motivation': ['financial gain (data sale on dark web)',
'identity theft',
'fraud'],
'post_incident_analysis': {'corrective_actions': ['Mandatory encryption for '
'all PII/health data.',
'Third-party vendor '
'security assessments.',
'Immediate breach '
'notification protocols.',
'Periodic security audits '
'(internal + independent).',
'Staff training on data '
'handling.',
'Prohibition of cloud '
'storage for unencrypted '
'PII.',
'10-year third-party '
'compliance monitoring.'],
'root_causes': ['Failure to encrypt sensitive '
'data.',
'Inadequate third-party vendor '
'security oversight.',
'Delayed breach detection/response '
'(October 2024–January 2025).',
'Lack of proactive customer '
'notification (violated Montana '
'law).',
'Poor data retention practices '
'(retaining data longer than '
'necessary).']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement robust encryption for all sensitive data.',
'Conduct regular security audits (internal + '
'third-party).',
'Enforce strict data retention/deletion policies.',
'Prohibit storing PII on unsecured cloud services.',
'Establish clear breach notification protocols (comply '
'with Montana’s ‘without reasonable delay’ law).',
'Provide comprehensive staff training on data security.',
'Engage a third-party monitoring firm for 10+ years '
'post-breach.',
'Offer free credit/identity theft monitoring to affected '
'customers.'],
'references': [{'source': 'Daily Montanan'},
{'source': 'Lewis and Clark County District Court '
'(Class-Action Lawsuit Filing)'},
{'source': 'Montana Commissioner of Securities and Insurance '
'Investigation'},
{'source': 'Experian Study (Medical Identity Theft Costs)'},
{'source': '2007 General Accounting Office Report (Data Fraud '
'Timelines)'}],
'regulatory_compliance': {'legal_actions': ['class-action lawsuit (7 counts)',
'Montana Commissioner of '
'Securities and Insurance '
'investigation'],
'regulations_violated': ['Montana Consumer '
'Protection Act',
'Montana breach '
'notification law (delayed '
'disclosure)'],
'regulatory_notifications': ['Montana Commissioner '
'notified on '
'2025-10-08']},
'response': {'communication_strategy': ['limited (no comment on litigation)',
'website notice',
'delayed customer letters'],
'incident_response_plan_activated': 'delayed (notified customers '
'starting 2025-10-24, 9+ '
'months after discovery)',
'remediation_measures': ['customer notifications (delayed)',
'website breach notice'],
'third_party_assistance': ['legal firms (Graybill Law, Heenan '
'and Cook, Paoli Law)',
'potential future auditors']},
'stakeholder_advisories': ['Montana Commissioner of Securities and Insurance '
'(James Brown)',
'Plaintiff attorneys (Raph Graybill, John Heenan, '
'David Paoli)'],
'title': 'Blue Cross-Blue Shield of Montana Data Breach (2024-2025)',
'type': ['data breach',
'third-party vendor compromise',
'identity theft risk'],
'vulnerability_exploited': ['unencrypted sensitive data',
'improper data retention',
'third-party security gaps']}