About 462,000 current and past clients of Blue Cross Blue Shield of Montana (BCBSMT) were affected by a cyberattack on Conduent Business Services, its business associate based in New Jersey. Conduent Business Services provides payment, document processing, and back office services. As such, BCBSMT allows Conduent Business Services access to its members’ protected health information (PHI). On January 13, 2025, the business associate found a security incident that prompted operational interruption – terms normally used to refer to a ransomware attack.
Conduent Business Services recovered access to the impacted systems and resumed regular business operations in a couple of days. The investigation revealed that unauthorized access to its IT system started on October 21, 2024, and continued for more or less three months. In that time, the attacker extracted files from its system. On April 9, 2025, Conduent Business Services disclosed the attack in a filing with the U.S. Securities and Exchange Commission (SEC). Back then, the actual number of impacted individuals was uncertain.
On October 8, 2025, Conduent Business Services advised the California Attorney General regarding the data breach that affected roughly 4.3 million people. The number of the company’s clients impacted by the breach is uncertain. It is also unclear if the breach affected other HIPAA-regulated entity customers. The breach is not yet shown on the HHS Office for Civil Rights breach portal.
BCBSMT alerted the Montana State Auditor’s Office concerning the data breach at the beginning of October, more or less one year after its business associate first identified the breach. BCBSMT states that it received notification that it was impacted at the start of the year and has been carrying out its own investigation and analyzing the affected information. The evaluation was only done on September 23, 2025. This incident has not yet been mentioned on the OCR breach portal, probably because OCR hasn’t updated the breach website since September 24, 2025, as a result of the government shutdown. As per the Montana State News Bureau, it found out about the data breach after filing a records request. The received records reveal that approximately 462,000 Montanans were affected, and that the breached data included names, Social Security numbers, dates of birth, treatment and diagnosis numbers, healthcare provider names, and claims amounts.
The Montana Commissioner of Securities and Insurance began an investigation to discover if state data breach notification regulations had been violated. Breached entities need to inform individuals regarding a data breach promptly. They should likewise inform the Department of Justice concerning a data breach with no irrational delay. However, there is presently no information on the DOJ consumer protection site regarding the data breach. The state auditor is trying to find answers to questions about the security incident and is looking into its privacy and security guidelines. If BCBSMT is confirmed to have failed to follow state rules, financial penalties may be enforced.