ACCORDING to DataBreaches[.]Net, a Montana state investigation into a breach affecting Blue Cross Blue Shield of Montana members could move to court after BCBSMT filed suit in Helena arguing that the state auditor lacks authority to pursue the probe. The company said the breach, linked to Conduent, potentially exposed up to 462,000 members’ data and was reported to the Montana State Auditor’s office, which launched the investigation.
BCBSMT learned of the incident on 1 July 2025 and completed its own investigation on 23 September, notifying the state auditor after 1 October but describing the notification as a courtesy since the breach occurred before that date. The insurer had previously indicated that entities covered by HIPAA were exempt under Montana’s breach-notification law if they complied with HIPAA’s Breach Notification Rule, a claim now central to the dispute.
BCBSMT’s actions come amid a broader question of whether the new Montana law, effective 1 October 2025, requires timely reporting to the auditor in cases where affected individuals had not yet been notified. DataBreaches[.]Net notes that there is no entry on HHS’s public breach tool from BCBSMT or Conduent as of publication.