HELENA — In October, MTN reported on a major data breach involving customers with Blue Cross Blue Shield of Montana. Now, as a state investigation into the breach continues, the next steps could be playing out in court.
BCBSMT, the largest health insurance provider in Montana, said in October that up to 462,000 of its members’ data may have been exposed by a “cyber incident” affecting Conduent, a third-party vendor. The company reported the incident to Montana State Auditor James Brown’s office, which launched an investigation.
Now, BCBSMT is arguing the auditor’s actions have been unlawful. The company filed a lawsuit in state district court in Helena, claiming Brown’s office doesn’t have the authority to pursue an investigation.
(Watch the video for more on what's next in the legal battle over the investigation.)
Regulators said they were looking into whether BCBSMT complied with a state law that requires insurers to provide notice when they experience a data breach. However, BCBSMT says it has been exempt from that requirement because they were instead covered under a federal law.
Last year, the Montana Legislature passed and Gov. Greg Gianforte signed House Bill 60, which changed that law to require companies with that federal exemption to still follow the data breach notification rules. BCBSMT says HB 60 didn’t take effect until Oct. 1, and that they learned about the breach from Conduent on July 1 and completed their own analysis of the impacts on member data on Sept. 23. The company argues there was no provision to make the bill retroactive, so their exemption still applies to any breach that happened before Oct. 1.
BCBSMT reported the breach to Brown’s office after Oct. 1, but argued that was a “courtesy” notification, not actually required.
In a complaint, BCBSMT’s attorneys said allowing the auditor’s office to continue its investigation would create “immediate and ongoing irreparable harm, including regulatory coercion, compelled compliance with inapplicable statutory provisions, disruption to BCBSMT’s operations, and loss of the statutory protections.”
The auditor’s office argued that it has long interpreted state law to require companies to report data breaches regardless of the exemption BCBSMT pointed to. They said the court doesn’t have the authority to step in to this case until the office’s administrative process is complete – and they said there’s still no guarantee they’ll even find a violation.
“Assuming that the final order is adverse to BCBSMT, which is not a fait accompli, there is no dispute that BCBSMT may seek judicial review,” they said. “But the insurance company’s request for a preliminary injunction must be denied.”
Brown’s office scheduled a public hearing on BCBSMT and the data breach for Jan. 22. The company asked the court for a restraining order to stop the hearing, but District Judge Chris Abbott allowed it to go forward. A hearing examiner took testimony and will begin work on possible recommendations in the coming weeks. Whatever recommendations the examiner makes will go to Brown for a final decision.
On Wednesday, the two sides appeared before Abbott for a hearing on BCBSMT’s request for a preliminary injunction to halt the auditor’s investigation. The judge has not yet made a ruling.
Tyler Newcombe, a spokesperson for Brown’s office, released a statement to MTN.
“It is deeply troubling that after a data breach affecting hundreds of thousands of Montanans, Blue Cross Blue Shield sought to avoid regulatory scrutiny by suing the State and attempting to block this hearing,” he said. “These types of hearings occur regularly and are a standard part of regulatory oversight. No company is entitled to special treatment. Montanans deserve transparency and accountability when their personal and health data may have been placed at risk, and our office is simply asking to follow the evidence and reach a conclusion in due course.”
MTN reached out to BCBSMT for a response. The company declined to comment on ongoing litigation.
