Judge Rules Commissioner Can Investigate Blue Cross Blue Shield

Blue Cross Blue Shield of Montana doesn’t get to stop the Commissioner of Securities and Insurance from investigating a data breach that a cted 462,000 Montanans, a judge said.

In an order, Lewis and Clark District Court Judge Christopher Abbott denied a motion from the insurance provider to halt the investigation because doing so would allow Blue Cross to “skip the administrative review process.”

Abbott said if Blue Cross doesn’t prevail with the agency, it can then go to court. In the meantime, the judge granted the commissioner’s motion to dismiss the insurer’s call for a preliminary injunction.

The case was filed by Health Care Service Corporation doing business as Blue Cross Blue Shield of Montana against the State of Montana and Commissioner James Brown.

On Friday, April 17, Brown said the decision is a significant victory for the ability of his o_ce to investigate possible violations by companies it regulates.

“If this decision had gone a di rent way, that would have really cabined my ability to protect Montana consumers and customers,” Brown said.

The questions that Brown still plans to answer are whether his o_ce received notice of the data breach in a timely fashion, and whether customers received notice of the breach in a timely fashion.

“Montanans expect their personal data to be protected,” Brown said.

If Blue Cross is found to be at fault, it could face a penalty as high as $25,000 per violation, although Brown said the question about what constitutes a violation can be interpreted in di rent ways. (A violation could be the alleged failure to timely notify, as could the individual disclosures of Montanans’ personal information.)

Blue Cross Blue Shield of Montana did not respond to an email Friday seeking comment on whether it would appeal; if it would increase premiums to pay for any fines; and how it might be bolstering data security.

The order, issued last week, outlined the timeline of notifications.

The order said Health Care Service Corporation contracts with a third-party vendor, Conduent Business Services, for some logistical services.

It said Conduent notified the corporation on Jan. 17, 2025, that a “security incident” occurred, but it did not state whether the breach a cted those who are insured by Blue Cross. The order did not specify what action — if any — the insurance giant took after Conduent’s notification.

Blue Cross learned on or around Sept. 23 that its members’ personal information was exposed. It notified the Commissioner of Securities and Insurance on Oct. 8, and it started notifying members, those who had insurance through Blue Cross Blue Shield, on Oct. 24, the order said.

“CSI promptly opened an investigation and requested information regarding the Conduent Event,” the order said. “The Commissioner issued a Notice of Hearing on Dec. 23, 2025, and requested that Blue Cross appear for a contested case hearing.”

The order said it isn’t the first time Blue Cross experienced a data breach, although it hasn’t reported all breaches to the Commissioner. It said in the past, Blue Cross has claimed a legal exemption for reporting.

However, in 2025, the Montana Legislature passed House Bill 60, which said insurers otherwise exempt from Montana’s Insurance Information and Privacy Protection Act still had to comply with its notification provision.

The order said the bill didn’t expressly address requirements for insurers for breaches prior to Oct. 1, 2025. It also said in the past, the Commissioner hasn’t disputed the exemption Blue Cross claimed.

“My predecessors acceded to that,” Brown said. “I have a di rent interpretation.”

Brown said he has not yet made any decision in the case, and he anticipates he’ll receive a recommendation in the next 30 to 45 days. However, Brown said the outcome of the lawsuit means his offi ce retains authority to investigate.

“If the order had gone differently and the lawsuit had gone di rently, then we would have been prohibited from even investigating whether those notices were timely made,” Brown said.

He also said the Commissioner of Securities and Insurance O_ce is designated as a criminal justice agency, but it doesn’t have a lot of the tools such agencies typically have, such as subpoena power, and it’s an issue he’d like to address.

“There’s no greater duty of government than to protect its citizens, and I take that duty very seriously,” Brown said.