Lawsuit against Blue Cross-Blue Shield says company knew about massive data breach, didn’t report it

On the same day Montana’s insurance commissioner announced an investigation into a massive data breach by the state’s largest health insurance company, a group of attorneys filed a class-action lawsuit in Helena alleging that the corporation failed to notify customers and didn’t take standard precautions to safeguard the data, which could include birth dates, Social Security numbers and data on the health conditions of individuals.

The class action lawsuit, filed in Lewis and Clark County District Court, says that Blue Cross-Blue Shield of Montana should be held responsible for as many as 462,000 Montana customers’ private and healthcare information being taken. That is approximately one-third of the state’s residents.

Moreover, it accuses the insurance giant of knowing about the data breach for months, but failing to notify any of its customers that their information was at risk.

Montana Blue Cross-Blue Shield said that it doesn’t comment on pending litigation.

However, in a story about Montana Commissioner of Securities and Insurance James Brown opening an investigation, a spokeswoman for the company told the Daily Montanan that a third-party vendor was responsible for the data breach, but it would not confirm the breadth of the leak.

The lawsuit was filed on behalf of two Montana residents.

“This type of personal and sensitive data is highly targeted and sought after by hackers who seek to exploit that data for nefarious purposes,” the lawsuit said.

The lawsuit asks Lewis and Clark District Court Judge Christoper Abbott to certify it as class action, meaning that Montana Blue Cross-Blue Shield’s customer base of more than 460,000 could be named and eligible for any settlement. Attorneys for the group include Raph Graybill and Rachel Parker of Graybill Law Firm in Great Falls; John Heenan of Heenan and Cook in Billings; and David Paoli of the Paoli Law Firm in Missoula.

On Friday, a notice about the data breach was placed on the company’s website. It said that the breach was caused by third-party vendor, Conduent, and that notices about the breach were being sent to customers, beginning on Oct. 24.

The lawsuit also alleges that even though the data breach was discovered and known about in January 2025, Montana Blue Cross-Blue Shield didn’t act quickly. Brown’s office confirmed with the Daily Montanan that it didn’t learn of the data breach till Oct. 8, nearly a year after it said the breach started. According to court documents, it lasted from October 2024 until January.

Montana law requires reporting of breaches “without reasonable delay.”

The lawsuit alleges that the data breach has resulted in several harmful results including an invasion of privacy, lost time and costs associated with the breach, and spam and fraud calls as well as identity theft.

The lawsuit also seeks several dozen remedies in seven counts being brought against Montana Blue Cross-Blue Shield. Those counts include negligence, breach of contract, violating the Montana Consumer Protection Act and breach of fiduciary duty.

Attorneys argue that Montana Blue Cross-Blue Shield did not take adequate precautions in protecting the sensitive personal and health information, which should have included encrypting the information as well as deleting it when it was no longer needed.

The lawsuit also outlines how data obtained by hackers can be used and sold on the dark web.

“Private information can be sold at a price ranging from $40 to $200. Criminals can also purchase access to entire company data breaches from $900 to $4,500,” the suit said.

The lawsuit then explains how a few personally identifying data points can be parlayed into a larger and nearly complete identity theft of a person.

“Because a person’s identity is akin to a puzzle with multiple data points, the more accurate pieces of data an identity thief obtains about a person, the easier it is for the thief to take on the victim’s identity — or track the victim to attempt other hacking crimes against the individual to obtain more data to perfect a crime,”  the lawsuit said.  “With (complete) packages, cybercriminals can cross-reference two sources of private information to marry unregulated data available elsewhere to criminally stolen data with an astonishingly complete scope and degree of accuracy in order to assemble complete dossiers on individuals.”

The lawsuit also warns that cybercriminals often hold the data for some time before they use it, or victims don’t discover the theft until well after the fact, after financial damage is done.

“A study by Experian found that the average cost of medical identity theft is ‘about $20,000’ per incident and that most of victims of medical identity theft were forced to pay out-of-pocket costs for health care they did not receive to restore coverage. Almost half of medical identity theft victims lose their health care coverage as a result of the incident, while nearly one-third of medical identity theft victims saw their insurance premiums rise, and 40% were never able to resolve their identity theft at all.”

The lawsuit also pointed out that a 2007 General Accounting Office report said that fraudulently obtained data may be held for as long as a year before cybercriminals use it.

“As a result, studies that attempt to measure the harm resulting from data breaches cannot necessarily rule out all future harm,” the lawsuit said.

The lawsuit estimates that identity and credit theft monitoring will cost around $200 per year per class member.

“This is a future cost for a minimum of five years that plaintiffs and class members would not need to bear but for defendant’s failure to safeguard their private information,” the lawsuit said. “Through its failure to provide timely and clear notification of the data breach…(Montana Blue Cross-Blue Shield) prevented plaintiffs and class members from taking meaningful, proactive steps to secure their private information and mitigate the impact of the data breach. (They) could have taken action earlier had they been timely notified of the data breach.”

As part of the lawsuit, attorneys for the plaintiffs are asking the court to impose a host of protections and punishments, including more encryption, destruction and purging of personally identifying information after its use, prohibiting keeping information on cloud-based services, ordering periodic security checks by both staff and independent auditors, as well as more comprehensive education and alert programs to inform staff and customers.

The suit also asks for actual damages, compensatory damages and punitive damages, as well as a 10-year third-party monitoring firm to report on whether Montana Blue Cross-Blue Shield is complying with the court order.

1 – Complaint