Blue Cross Blue Shield Argues State Investigation Should Be Halted
Blue Cross Blue Shield fought this week in Lewis and Clark County District Court to stop the Montana Commissioner of Securities and Insurance from moving ahead with an investigation into a massive data breach, affecting more than 460,000 Montanans.
Montana’s largest insurance carrier told Judge Christopher Abbott the process has been stacked against it and it hasn’t been able to properly defend itself.
Meanwhile, attorneys for Commissioner James Brown told the judge the administrative process hasn’t played out and it’s unclear if a 2025 Legislative session regarding data breaches will be retroactive to an incident involving Conduent, a third-party contractor of Blue Cross Blue Shield, which was reported in January of last year. The state is still in the process of gathering facts about the breach, lawyers for the state said.
That’s why the state wants the investigative process to play out, attorney Jack Connors said, adding the process would answer those questions. There’s also an option for judicial review under the Montana Administrative Procedure Act, which the state says applies in this case and the state is seeking dismissal of the lawsuit.
“As a matter of basic administrative law, a party must exhaust all available administrative remedies before turning to a court for relief,” the state’s request for dismissal says. “The Montana Supreme Court has held that compliance with the provisions of MAPA is mandatory.”
The hearing came as a step by the state to investigate when the breach occurred, why it took until October for the company to fully report the issue and when those impacted were told their data was compromised.
“Commissioner Brown opened the investigation of BCBSMT and the Conduent data breach for multiple reasons: (a) to help educate the public about data breaches, (2) to improve the regulation of insurance companies to prevent future breaches, and (3) to potentially impose a fine against BCBSMT if the facts establish a violation and if the Commissioner finds that imposing a fine is in the public interest,” court documents submitted by the state say.
Lawyers for the state did say Brown, “wasn’t going to stick it to the largest health insurance provider in Montana.”
Blue Cross Blue Shield, meanwhile, has said they’re being unfairly targeted, having told the state about data breaches as a “courtesy,” and that they’ve been exempt from a state law requiring insurance companies to notify customers of data breaches.
“There was an event that occurred in January, the statute was changed in February, and now we’re going to stick it to you in October, when it becomes a law,” Dan Auerbach, an attorney representing Blue Cross Blue Shield, said.
“I will do my best to act on this quickly, just so there’s some clarity about the procedure,” Abbott said in court on Wednesday. “I think that both sides benefit from having clarity about the posture of this case versus the administrative action.”
Meanwhile, some Montanans impacted by the breach are frustrated. Lorraine Salmon, who lives outside Three Forks, said she received a letter dated Oct. 24 in the mail from Blue Cross Blue Shield notifying her that her data had been compromised. She received three letters notifying her of a data breach involving an insurance company in about a month.
“I feel very vulnerable,” Salmon, 62, said. “I mean, at this point I have my information exposed, at so many levels, it’s like, why even bother having any privacy? I mean, I don’t have any privacy.”
Data breaches are becoming more common, according to the Identity Theft Resource Center, which tracked 3,322 American data breaches in 2025, an increase of 4 percent from 2024, and up 79 percent compared to 2020. About twothirds of those included Social Security numbers, the report said.
Tony Urso, a state worker in Helena, said the whole thing made him uncomfortable.
“I haven’t had a direct breach on it, but I have had weird inquiries over the last few months, like asking me to give credit cards and things like that,” Urso said. “Maybe it’s related, I don’t know, but it didn’t happen before, so I’m unsure.”
Salmon said she’s had her data stolen five times stemming from insurance company breaches. It’s hard for her to understand why those companies aren’t taking better care of sensitive data.
“I kind of wonder: Why have a third party?” Salmon said. “The question is, why can’t they do it themselves?”
Urso has similar frustrations.
“They should have proper security systems in line so this breach doesn’t occur. However, this will happen, this is an inevitable situation,” Urso, 65, said. “Once it does occur, they should be upfront immediately and get together with the State Auditor’s office immediately and resolve the outstanding issues on it immediately.”
