What the Court Ruling Means
A state district judge in Helena has dismissed a lawsuit filed by Health Care Service Corporation (HCSC). The ruling allows the Montana State Auditor’s Office to move forward with its investigation into a data breach at Blue Cross Blue Shield of Montana (BCBSMT). Judge Chris Abbott’s decision reaffirms the auditor’s regulatory authority over insurance companies operating in the state.
State Auditor James Brown welcomed the outcome. “I would call it reaffirming the obvious, which is what the court did,” Brown said. “Clearly, the Montana Legislature has given me the authority to look into the affairs of companies that do business in Montana in the insurance field.”
How the Data Breach Happened
The Conduent Cyber Incident
In October 2024, BCBSMT disclosed that a cyber incident at Conduent — a third-party vendor — may have exposed the personal data of up to 462,000 of its members. BCBSMT is the largest health insurance provider in Montana. Therefore, this breach potentially affected roughly one-third of the entire state’s population.
What Data Was at Risk
The company reported the incident to the State Auditor’s Office after learning about it from Conduent on July 1. Furthermore, BCBSMT completed its own internal analysis of the impact on member data on September 23. The exposed data raised immediate concerns about consumer privacy across Montana.
Why the State Auditor Launched an Investigation
The Auditor’s Regulatory Role
The State Auditor also serves as Montana’s Commissioner of Securities and Insurance. Consequently, Brown’s office holds clear authority to investigate whether insurers comply with state data protection laws. The agency focused specifically on whether BCBSMT gave timely notice of the breach, as required under Montana law.
The Scale of the Impact
“It’s one-third of the state’s population whose personal data is compromised,” Brown said. His office moved quickly to open a formal investigation and brought in a hearing examiner to review the facts. Additionally, a public hearing took place in January to gather testimony on the matter.
HCSC’s Legal Challenge and Why It Failed
The Parent Company’s Lawsuit
HCSC, BCBSMT’s parent company, filed suit against the auditor’s office. The company asked the court to rule that Brown’s office lacked authority to conduct the investigation. HCSC argued that BCBSMT operated under a federal exemption and therefore did not need to follow state reporting rules.
Why the Judge Rejected the Argument
However, Judge Abbott sided with the auditor’s office on procedural grounds. He ruled that BCBSMT must complete the administrative process before bringing its complaints to court. In his decision, Abbott wrote that allowing a declaratory judgment would give BCBSMT an opportunity to “skip the administrative process” — an avenue it does not otherwise possess
The House Bill 60 Dispute Explained
What the New Law Changed
Last year, the Montana Legislature passed House Bill 60. Governor Greg Gianforte signed it into law. The bill removed the federal exemption and required all companies — including those previously exempt — to follow state data breach notification rules.
BCBSMT’s Retroactivity Argument
Nevertheless, BCBSMT disputed how the law applied to its case. The company argued that HB 60 did not take effect until October 1 — after it had already learned about the breach and completed its analysis. Moreover, BCBSMT contended that nothing in the bill made it retroactive. As a result, the company maintained that its notification to Brown’s office was only a voluntary “courtesy,” not a legal requirement.
The Auditor’s Counterargument
Brown’s office disagreed. His team argued that the court should not intervene until the investigation concludes. Abbott agreed with this procedural position, though he did not rule on the substance of BCBSMT’s arguments. Notably, if the auditor’s final findings go against BCBSMT, the company retains the right to challenge them in court at that time.
What Happens Next in the Investigation
The Hearing Examiner Resumes Work
Brown confirmed that the HCSC lawsuit delayed the investigation significantly. Now, however, the hearing examiner can resume working toward findings. Those findings will determine whether any laws were violated and whether penalties are warranted.
Brown Makes the Final Call
Once the examiner submits recommendations, Brown will make the final decision. The process gives both sides a formal opportunity to present their positions before any penalties come into play. Ultimately, the outcome will test how Montana enforces its data privacy laws against large insurers.
Why This Case Matters for Montanans
Strong Privacy Laws at Stake
This case carries broad implications for data privacy in Montana. The state has enacted strong laws to protect its residents’ personal information. Brown emphasized his commitment to upholding those protections. “I’m pleased that the district court in Helena is allowing us to move forward with our investigation,” he said.
Setting a Precedent for Insurers
Beyond BCBSMT, the outcome will signal to all insurers doing business in Montana that the State Auditor takes data breach compliance seriously. In addition, it reinforces that companies cannot use federal exemptions to sidestep state consumer protection laws — especially when those laws now explicitly close that loophole.
For Montanans whose data may have been exposed, the investigation represents a critical step toward accountability. Meanwhile, Brown’s office continues its work to determine whether any violations occurred and what remedies may follow.
