Montana BCBS Data Breach Dispute with Insurance Commissioner
Summary
The Montana Commissioner of Securities and Insurance is in a dispute with Montana Blue Cross-Blue Shield (BCBS) over the handling of a large data breach. BCBS is fighting a hearing, claiming the commissioner is unfairly targeting it and that its notification timeline was reasonable, despite a significant gap between discovery and customer notification.
What changed
The Montana Commissioner of Securities and Insurance (CSI) is engaged in a dispute with Montana Blue Cross-Blue Shield (BCBS) concerning the timeline of notification following a significant data breach affecting BCBS customers. The breach, originating from a third-party vendor, Conduent, was discovered by Conduent on January 13, 2025, and BCBS was notified on January 17, 2025. However, BCBS claims it did not discover its own data was breached until July 2025, and subsequently notified the CSI on October 8, 2025, with customer notifications beginning October 24, 2025. BCBS is contesting a CSI hearing, arguing the office is unfairly targeting them and that their notification process was reasonable under Montana law, which requires notification within a "reasonable" amount of time, though this term is not precisely defined.
This dispute highlights potential compliance issues related to data breach notification timelines for insurers in Montana. Regulated entities, particularly those experiencing data breaches via third-party vendors, must ensure their internal discovery and external notification processes are demonstrably reasonable and timely to avoid regulatory scrutiny. The CSI's stance suggests that significant delays between vendor notification, internal discovery, and regulatory/customer notification may be deemed unreasonable. Compliance officers should review their incident response plans, focusing on the speed of internal assessment and external reporting following a breach, and be prepared to justify their timelines to regulators.
What to do next
- Review data breach incident response plans for timeliness of internal discovery and external notification.
- Ensure clear procedures are in place to justify notification timelines to regulators.
- Consult legal counsel regarding Montana's definition of 'reasonable' time for data breach notification.
Source document (simplified)
Darrell Ehrlick | Daily Montanan
January 22, 2026
Photo illustration by Getty Images.
The largest health insurance company in Montana is fighting against the Montana Commissioner of Securities and Insurance as state officials push to find out more information about the largest data breach in state history, and whether Montana Blue Cross-Blue Shield delayed notifying customers that their personal identifying information, including Social Security numbers, may have been breached.
In a contested hearing on Thursday afternoon, attorneys for Montana Blue Cross-Blue Shield pointed to a filing in district court asking the courts to stop the hearing and process. BCBS also objected to the hearing because it said the office wasn’t properly conducting the hearing, objected that staff attorneys were advising hearing officer David Saunders, who serves as the CSI chief of staff, and said the office was unfairly targeting it, when other companies fell victim to the same breach.
The case stems from a massive data breach by Conduent, which is a third-party vendor to BCBS. In testimony Thursday, exhibits showed that Conduent discovered the breach on Jan. 13, 2025, and notified BCBS on Jan. 17, 2025.
But attorneys for Blue Cross-Blue Shield said it wasn’t until July the company discovered its data — including customer identification — had been breached.
Staff from Commissioner James Brown’s office said BCBS didn’t notify them until Oct. 8, and didn’t begin contacting customers about the breach until Oct. 24, and may have still be informing customers as late as last week.
However, attorneys from BCBS argued they had taken responsibility by informing the insurance commissioner of the breach, and for following through with customers.
But the main issue is the gap in timing, which CSI staff have said was not “reasonable.” Montana law requires insurance companies to notify the state if there is a data breach in a “reasonable” amount of time, but the exact definition of reasonable is not detailed in law.
To read the full article, click here.
Was this helpful?
👍 Yes 👎 No Please give us your feedback!
Please let us know how we could improve this article.
Submit
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Insurance alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when MT Insurance News publishes new changes.