Bank Info Security reports:
Montana state regulators are investigating a data breach affecting 462,000 Blue Cross Blue Shield of Montana members involving one of the health insurer’s third-party services providers – and they want to know why nearly 10 months have gone by without notifying the breach victims.
It took nearly four months for the insurer’s vendor, Conduent, to notify federal regulators about the incident that was detected in January 2025. The company said the breach affected a “significant number” of people.
Blue Cross Blue Shield of Montana in a statement to Information Security Media Group said Conduent notified the health insurer that some member data was affected, but did not disclose when it was notified by Conduent.
[…]
A Montana state spokesman told ISMG that the state auditor’s office is investigating the breach in part to determine whether Blue Cross Blue Shield of Montana delayed reporting the incident to the state and notifying affected members. BCBSMT reported the breach to Montana authorities on Oct. 8, he said.
Under Montana state law, entities are required to report major data breaches to the state “without reasonable delay,” he said.
Read more at Bank Info Security.
Neither Blue Cross Blue Shield of Montana nor Conduent notified HSS within 60 calendar days of discovery, as required by HIPAA and HITECH, so it may not be just the state investigating the timeliness of the insurer’s incident response.
