Montana CSI Holds Public Hearing on BCBSMT Cybersecurity Breach After Court Denies TRO

The Montana Office of the Commissioner of Securities and Insurance (CSI) held a public administrative hearing on January 22, 2026, regarding a cybersecurity breach involving Health Care Service Corporation, a mutual legal reserve company, doing business as Blue Cross Blue Shield of Montana (BCBSMT).

Prior to the hearing, BCBSMT sought a temporary restraining order (TRO) from the Lewis and Clark County District Court to prevent the hearing from taking place. The court denied that request, and the hearing proceeded as scheduled.

The purpose of the hearing was to receive evidence and determine whether BCBSMT complied with Montana law requiring the timely reporting of cybersecurity incidents, as well as to examine the facts and circumstances surrounding the breach. The cybersecurity event, which BCBSMT reported to CSI in October 2025, may have impacted approximately 462,000 Montanans and involved sensitive consumer data, including personally identifiable and protected health information.

During the hearing, evidence and testimony addressed the timeline of events, BCBSMT’s response to the breach, and its assertion that a third-party vendor, Conduent Business Services LLC, was responsible for the cybersecurity incident. CSI is reviewing whether BCBSMT fulfilled its statutory obligations regardless of third-party involvement. This includes evidence that BCBSMT was first received notification from Conduent Business Services in January 2025 about a potential data breach, but did not notify CSI until October 2025.  

“It is troubling that it appears BCBSMT attempted to avoid regulatory oversight and accountability by seeking to block this hearing through the courts,” said Communications Director Tyler Newcombe. “Our office is committed to protecting Montanans and ensuring a fair, transparent, and very serious process when sensitive personal and health data may have been placed at risk. That is exactly what this hearing was designed to do. Our office will consider all the evidence and then issue a final order in due course.”

Montana law requires regulated entities to report cybersecurity breaches in a timely manner to protect consumers and ensure transparency. The hearing was conducted pursuant to that authority.

A Hearing Examiner will review the record and prepare a proposed decision for the Commissioner to consider. CSI will release additional information, including a detailed timeline of events, as it becomes available.

 ###

840 Helena Avenue, Helena, Montana 59601
(main fax) 406.444.3413  I  (securities fax) 406.444.5558
(insurance consumer services fax) 406.444.1980  I  (legal fax) 406.444.3499
(phone) 800.332.6148 or 406.444.2040  I  (email) csi@mt.gov  I  (web) www.csimt.gov

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.