Judge lets state auditor's investigation into data breach affecting Blue Cross Blue Shield members move forward

What Happened

A Montana judge has allowed the state auditor to proceed with an investigation into Blue Cross Blue Shield of Montana (BCBSMT) and its parent company HCSC over a breach notification involving Conduent, a third-party vendor. The breach exposed data belonging to 462,000 BCBS members. The state auditor's office opened an investigation specifically focused on whether BCBSMT's notification to the state was timely under HIPAA's 60-day breach notification rule. HCSC attempted to block the investigation through legal action, but the court ruled the auditor has authority to examine the notification timeline. This case underscores growing state-level scrutiny of not just breaches themselves, but the procedural compliance surrounding breach response and disclosure.

Data Exposed

While the summary does not specify the exact data types exposed in the Conduent breach, vendor breaches of this scale typically involve:

• Member names and contact information
• Social Security numbers
• Health insurance policy numbers
• Claims data and treatment history
• Protected health information (PHI) maintained by the business associate

Response & Remediation

• BCBSMT notified the state auditor after discovering the Conduent breach
• The state auditor initiated a formal investigation into notification timeliness
• HCSC challenged the auditor's authority through legal proceedings
• A Montana judge rejected HCSC's challenge, allowing the investigation to continue
• The case now moves forward with potential findings on compliance with notification requirements

Why It Matters

This case signals a critical shift in enforcement focus: regulators are no longer just penalizing breaches, they're scrutinizing the procedural compliance and timing of breach response. For independent practices, this means that even if a breach originates with a vendor, your notification timeline to authorities and affected individuals can become the basis for separate enforcement action. The 60-day HIPAA notification rule is now under a microscope at the state level.

The involvement of a third-party vendor (Conduent) highlights ongoing business associate agreement (BAA) risks. Practices often assume vendor compliance, but remain legally responsible for timely notification regardless of where the breach originated. When a vendor delays disclosure to you, your clock is already ticking. Without real-time vendor monitoring and breach response protocols, practices can find themselves in regulatory crosshairs for procedural failures—even when they weren't the source of the breach.

State auditors are increasingly exercising independent investigative authority over covered entities, adding another layer of regulatory exposure beyond OCR enforcement. This Montana case proves that legal challenges to state oversight are unlikely to succeed, meaning practices must prepare for multi-jurisdictional scrutiny.