A class action lawsuit has been filed against Blue Cross Blue Shield of Montana (BCBSMT) over the insurer’s alleged “failure to protect sensitive personal information” of customers during a data breach.  

This comes as Montana State Auditor and Commissioner of Securities and Insurance James Brown on Wednesday launched an investigation into the breach from a third-party business that works with BCBSMT.  

Why It Matters 

The lawsuit claims that the BCBSMT was negligent by failing to protect members’ sensitive personal and medical data, exposing them to identity theft or fraud. Furthermore, the plaintiffs claim that BCBSMT has yet to notify members about the breach and potential impacts of the compromised data.  

The plaintiffs in this case are accusing the insurer of negligence, invasion of privacy, breach of implied contract, violation of the Montana Consumer Protection Act and unjust enrichment, according to the case filing.

What To Know 

Attorneys from Western Justice Associates filed a complaint in the U.S. District Court of Montana on behalf of their clients Thursday. The case is against Health Care Services Corporation, which is the licensee of Blue Cross Blue Shield in five states, including Montana.  

From November 2024 to March 2025, third-party business services company Conduent suffered a data breach that compromised personal and health data from about 462,000 Montanans.

This information likely includes names, Social Security numbers, dates of birth, phone numbers, billing and medical data, treatment and diagnosis codes, provider names and claims amounts that could be used by “malicious actors” to commit fraud or identity theft, according to the filing.  

The filing said BCBSMT completed an investigation into the breach to review affected data on September 23, 2025, and notified the Montana State Auditor’s Office in early October.  

Despite being aware of the breach for many months, the plaintiffs claim that BCBSMT has yet to notify its members about it.  

The filing said the ramifications of BCBSMT’s failure to secure members’ personal information are “long-lasting and severe,” citing reports from the Federal Trade Commission and CreditCards.com. 

“[BCBSMT] was aware, or reasonably should have been aware, that a member’s sensitive personal information is of significant value to those who would use it for wrongful purposes,” the filing states. “Once sensitive personal information is stolen, fraudulent use of that information and damage to the affected members may continue for years.” 

In a statement earlier this week, Montana State Auditor Brown said the breach was not just a technical lapse, but a “deeply disturbing incident with far-reaching and jaw-dropping consequences for our citizens.”  He also said BCBSMT did not notify customers in a timely manner and is taking action to ensure accountability and transparency for Montanans.  

BCBSMT confirmed to Newsweek that some of its member data was affected by the cyberattack on the third-party company but claims that BCBS systems were not affected.  

The filing claims that plaintiffs either have suffered or are at increased risk of suffering damages as a result of the data breach. This includes the compromise, publication, theft and/or unauthorized use of their personal data, out-of-pocket costs associated with prevention, detection, recovery and remediation from identity theft or fraud, lost opportunity costs and lost wages and time. Plaintiffs also claim they are at risk of future leaks “so long as [BCBSMT] fails to undertake appropriate measures to protect” the personal identifying and protected health information in their possession. 

According to the filing, at least one plaintiff has noticed “suspicious activity” regarding her Social Security number this year. 

Because BCBSMT “has demonstrated an inability to prevent a breach,” the plaintiffs and class action members said they have an “undeniable interest” in ensuring that their personal identifying information and protected health information is secure, remains secure, and is not subject to further theft.  

When asked for comment on the latest court filing, Blue Cross Blue Shield told Newsweek it does not comment on pending litigation.

What Happens Next 

According to the filing, the court will determine whether BCBSMT had a duty to implement reasonable cybersecurity measures to protect members’ sensitive personal information and to “promptly” alert them if that information was compromised.  

Plaintiffs are also asking the court to decide whether the insurer violated its duty by failing to take “reasonable precautions” to protect members’ sensitive personal information, whether it acted negligently by failing to implement reasonable data security practices and procedures, and whether these failures violate Montana’s Consumer Protection Act.  

UPDATE 10/24/2025 at 1:08 p.m.: This story has been updated with comment from Blue Cross Blue Shield.

Have an announcement or news to share? Contact the Newsweek Health Care team at health.care@newsweek.com.