Hackers stole sensitive medical and Social Security data from a vendor; a Montana class action seeks accountability and compensation.

Montana’s largest health insurer, Blue Cross Blue Shield of Montana (BCBSMT), and its parent company, Health Care Service Corporation (HCSC), are facing a class action lawsuit after a massive data breach linked to their third-party vendor, Conduent Business Services.

Conduent provides payment processing, document handling, and other back-office services for BCBSMT. In doing so, it holds highly sensitive information on hundreds of thousands of Montanans. Hackers gained unauthorized access to Conduent’s systems in October 2024, and the intrusion continued until January 2025, during which files were taken from its network.

The lawsuit alleges that private information for up to 462,000 current and former BCBSMT customers was compromised—roughly one-third of Montana’s population.

What Happened?

On October 21, 2024, hackers gained unauthorized access to Conduent’s systems. The intrusion reportedly continued until mid-January 2025, during which time files were taken from the company’s network. Conduent provides payment processing, document management, and back-office services to BCBSMT, which requires access to sensitive member information.

BCBSMT has confirmed that data tied to Montana members was involved. Regulators are now investigating why it took so long for affected members to be notified. While Conduent detected the incident in January 2025 and reported it to federal authorities in April, the Montana State Auditor’s Office did not receive notice about affected BCBSMT members until October 2025—nearly a year after the breach began.

What Information Was Exposed?

According to documents provided to state regulators, the compromised files may include:

• Names and dates of birth
• Social Security numbers
• Information about medical conditions and treatments
• Diagnosis and procedure codes
• Provider names and claims amounts

This combination of personal identifiers and medical details is exactly the type of data cybercriminals target. The lawsuit notes that “private information can be sold at a price ranging from $40 to $200,” and that entire company breach datasets can be sold for $900 to $4,500 on the dark web.

Who Is Affected?

BCBSMT has stated that approximately 462,000 current and former members may be impacted—almost one-third of Montana’s population. The breach arose from systems controlled by Conduent, not from BCBSMT’s own internal network; however, regulators are examining whether notification obligations were met and whether sufficient safeguards were in place.

If you have had health insurance coverage through Blue Cross Blue Shield of Montana in recent years, you may be among those whose data was exposed, even if you no longer have an active policy.

What You Can Do Now

If you are a current or former BCBSMT member and:

• Received a breach notification letter, or
• Believe your information may have been involved in this incident,

you may be eligible to join the class action. Steps to consider:

• Save all letters and emails you receive about the breach.
• Enroll in any free credit or identity monitoring being offered.
• Check your credit reports and insurance statements for unfamiliar accounts, bills, or claims.
• Contact a data-breach lawyer to discuss your rights and how to participate in the lawsuit.

Keep copies of any letters you receive about the breach, as well as records of time and money spent responding to the incident.

Your Legal Rights – Join the Class Action Lawsuit

When companies share your sensitive information with vendors, they must still take reasonable steps to protect it and to notify you promptly if it is exposed. Investigations are underway into how this breach occurred and whether Health Care Service Corporation, Blue Cross Blue Shield of Montana, or Conduent violated any data-breach or consumer-protection laws.

The lawsuit alleges that BCBSMT and HCSC:

• Failed to use reasonable safeguards (such as encryption and timely deletion of data)
• Knew about the breach for months but did not promptly notify customers
• Violated Montana’s requirement to report breaches “without unreasonable delay”
• Caused real harm, including invasion of privacy, time and out-of-pocket costs, spam and fraud attempts, and identity theft

The complaint brings multiple counts, including negligence, breach of contract, breach of fiduciary duty, and violations of the Montana Consumer Protection Act. It also cites studies showing that medical identity theft can cost victims around $20,000 on average, with many losing coverage, facing higher premiums, or never fully resolving the fraud.

Plaintiffs are asking the court to certify the case as a class action so that all affected BCBSMT customers can be included and share in any recovery.

What the Lawsuit Seeks for Victims

Among other remedies, the lawsuit seeks:

• Actual and compensatory damages for victims’ time, stress, and financial losses
• Punitive damages to deter similar conduct in the future
• Long-term (often 5–10 years) identity and credit monitoring and restoration services
• Stronger data-security measures, including better encryption, strict limits on data retention, independent security audits, and improved breach-notification practices

The lawsuit alleges that BCBSMT and HCSC:

• Failed to use reasonable safeguards (such as encryption and timely deletion of data)
• Knew about the breach for months but did not promptly notify customers
• Violated Montana’s requirement to report breaches “without unreasonable delay”
• Caused real harm, including invasion of privacy, time and out-of-pocket costs, spam and fraud attempts, and identity theft

The complaint brings multiple counts, including negligence, breach of contract, breach of fiduciary duty, and violations of the Montana Consumer Protection Act. It also cites studies showing that medical identity theft can cost victims around $20,000 on average, with many losing coverage, facing higher premiums, or never fully resolving the fraud.

Plaintiffs are asking the court to certify the case as a class action so that all affected BCBSMT customers can be included and share in any recovery.

What the Lawsuit Seeks for Victims

Among other remedies, the lawsuit seeks:

• Actual and compensatory damages for victims’ time, stress, and financial losses
• Punitive damages to deter similar conduct in the future
• Long-term (often 5–10 years) identity and credit monitoring and restoration services
• Stronger data-security measures, including better encryption, strict limits on data retention, independent security audits, and improved breach-notification practices

What You Can Do If You Were Affected

If you are a current or former BCBSMT member and:

• Received a breach notification letter, or
• Believe your information may have been involved in this incident,

you may be eligible to join the class action. Steps to consider:

• Save all letters and emails you receive about the breach.
• Enroll in any free credit or identity monitoring being offered.
• Check your credit reports and insurance statements for unfamiliar accounts, bills, or claims.
• Contact a data-breach lawyer to discuss your rights and how to participate in the lawsuit.

You should not have to shoulder the cost and risk of protecting your identity because your health information was not adequately safeguarded. The class action aims to hold Health Care Service Corporation, BCBS Montana, and their vendor accountable—and to secure meaningful protections and compensation for those affected.

To join the class action lawsuit or to speak with a data breach lawyer, please complete the form shown on this page. There is no cost to you.

Tags: cyber attack   data breach   Data Privacy   Identity Theft   personal health information   Personal Identifying Information