James Brown, Montana state auditor and commissioner of securities and insurance, launched an investigation into Blue Cross and Blue Shield of Montana, a subsidiary of Health Care Service Corp., after a data breach that may have affected up to 462,000 customers was uncovered.
An Oct. 22 news release shared on X said the breach could have revealed names, addresses, birth dates, billing and medical data, phone numbers and other sensitive information. In an interview with Becker’s, Mr. Brown confirmed data was exposed between Oct. 21, 2024, and Jan. 13, 2025. He learned of the incident on Oct. 8, 2025.
A spokesperson on behalf of Blue Cross and Blue Shield of Montana told Becker’s that the third-party business services provider Conduent informed the insurer of a cyber incident, and the payer’s own systems were not impacted.
“This breach is not just a technical lapse. This is a deeply disturbing incident with far-reaching and jaw-dropping consequences for our citizens,” Mr. Brown said in the Oct. 22 news release. “Montanans have every right to expect their personal data, especially sensitive health information, to be protected by the entities they trust. The severity of this breach underscores the urgent need for robust oversight and our agency to take swift and immediate action to protect Montana consumers.”
Mr. Brown said his office was under the impression that HCSC will offer free credit monitoring, and that Conduent will be responsible for contacting affected customers. However, the commissioner said his team had not heard those activities are actually happening.
“That is very frustrating for me, that these notifications have not gone out and these types of services have not been implemented at this time, even though the data breach occurred over a year ago,” he said.
Montana law allows Mr. Brown to issue a fine of up to $25,000 due to an insurer’s untimely reporting.
“The penalty amount is not congruent with the damage that could be done to Montana,” Mr. Brown said.
