The Montana Office of the Commissioner of Securities and Insurance (CSI) held a public administrative hearing on January 22, 2026, to examine a cybersecurity breach involving Health Care Service Corporation, a mutual legal reserve company doing business as Blue Cross Blue Shield of Montana (BCBSMT).
The hearing moved forward after the Lewis and Clark County District Court denied BCBSMT’s request for a temporary restraining order (TRO) that would have blocked the proceeding. With the court’s denial, CSI conducted the hearing as scheduled.
The purpose of the hearing was to receive evidence and determine whether BCBSMT complied with Montana law requiring the timely reporting of cybersecurity incidents. Regulators also examined the facts and circumstances surrounding the breach, which BCBSMT reported to CSI in October 2025. The cybersecurity event may have affected approximately 462,000 Montanans and involved sensitive consumer information, including personally identifiable information and protected health data.
During the hearing, CSI heard testimony and reviewed evidence addressing the timeline of the breach, BCBSMT’s response, and the insurer’s assertion that a third-party vendor, Conduent Business Services LLC, was responsible for the incident. CSI is evaluating whether BCBSMT met its statutory reporting obligations regardless of any third-party involvement.
Evidence presented indicated that BCBSMT first received notification from Conduent Business Services in January 2025 regarding a potential data breach, but did not notify CSI until October 2025, several months later.
“It is troubling that it appears BCBSMT attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts,” said CSI Communications Director Tyler Newcombe. “Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. That is exactly what this hearing was designed to do. Our office will consider all the evidence and then issue a final order in due course.”
Montana law requires regulated entities to promptly report cybersecurity breaches to state regulators in order to protect consumers and ensure transparency. CSI officials said the hearing was conducted under that authority and is part of the agency’s ongoing effort to safeguard Montanans’ personal and health information.
By BSB Staff