A class action lawsuit has been filed against Blue Cross Blue Shield of Montana (BCBSMT) over a data breach that allegedly exposed the sensitive personal and medical information of hundreds of thousands of members. The filing comes as Montana State Auditor and Commissioner of Securities and Insurance James Brown launched a separate investigation into the incident involving a third-party business service provider.
The lawsuit claims BCBSMT failed to protect members’ information, exposing them to potential identity theft and fraud. According to court documents, the insurer has yet to notify members about the breach or its potential consequences, raising concerns about compliance with Montana’s 2023 law requiring timely disclosure of data breaches.
The plaintiffs allege negligence, invasion of privacy, breach of implied contract, violation of the Montana Consumer Protection Act, and unjust enrichment. The case was filed Thursday in the U.S. District Court of Montana against Health Care Services Corporation, the licensee of Blue Cross Blue Shield in five states, including Montana.
From November 2024 to March 2025, Conduent, a third-party business services company, experienced a cyberattack that compromised data from approximately 462,000 Montanans. Information exposed reportedly includes names, Social Security numbers, dates of birth, contact details, medical treatment and billing data, provider names, and claims information—data that could be used for fraud or identity theft.
The lawsuit asks the court to determine whether BCBSMT failed to implement reasonable cybersecurity measures, failed to promptly alert members, acted negligently in handling sensitive information, and violated Montana’s Consumer Protection Act. Plaintiffs also seek damages for costs associated with preventing or recovering from identity theft, lost wages, and other related financial impacts, as well as protection against future breaches.
According to the filing, at least one plaintiff has already experienced suspicious activity tied to her Social Security number. Attorneys representing the plaintiffs say discovery will be used to determine the full extent of the breach and verify the affected data.
Montana State Auditor James Brown described the breach as “a deeply disturbing incident with far-reaching consequences” for residents and criticized BCBSMT for not notifying customers promptly. BCBSMT has acknowledged that some member data was affected by the Conduent cyberattack but maintains that its own systems were not compromised.
By: BSH staff